Merge "Adding compute server tests"
diff --git a/contrib/post_test_hook.sh b/contrib/post_test_hook.sh
index b864a9b..34555fb 100644
--- a/contrib/post_test_hook.sh
+++ b/contrib/post_test_hook.sh
@@ -35,6 +35,11 @@
# Import devstack function 'iniset'.
source $BASE/new/devstack/functions
+# Use uuid tokens for faster test runs
+KEYSTONE_CONF=/etc/keystone/keystone.conf
+iniset $KEYSTONE_CONF token provider uuid
+sudo service apache2 restart
+
# First argument is expected to contain value equal either to 'admin' or
# 'member' (both lower-case).
RBAC_ROLE=$1
diff --git a/patrole_tempest_plugin/rbac_exceptions.py b/patrole_tempest_plugin/rbac_exceptions.py
index 967342b..aa3135e 100644
--- a/patrole_tempest_plugin/rbac_exceptions.py
+++ b/patrole_tempest_plugin/rbac_exceptions.py
@@ -34,3 +34,7 @@
class RbacParsingException (exceptions.TempestException):
message = "Attempted to test an invalid policy file or action"
+
+
+class RbacInvalidErrorCode (exceptions.TempestException):
+ message = "Unsupported error code passed in test"
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index a6490e7..5e1e816 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -26,7 +26,37 @@
LOG = logging.getLogger(__name__)
-def action(service, rule):
+def action(service, rule, admin_only=False, expected_error_code=403):
+ """A decorator which does a policy check and matches it against test run.
+
+ A decorator which allows for positive and negative RBAC testing. Given
+ an OpenStack service and a policy action enforced by that service, an
+ oslo.policy lookup is performed by calling `authority.get_permission`.
+ The following cases are possible:
+
+ * If `allowed` is True and the test passes, this is a success.
+ * If `allowed` is True and the test fails, this is a failure.
+ * If `allowed` is False and the test passes, this is a failure.
+ * If `allowed` is False and the test fails, this is a success.
+
+ :param service: A OpenStack service: for example, "nova" or "neutron".
+ :param rule: A policy action defined in a policy.json file (or in code).
+ :param admin_only: Skips over oslo.policy check because the policy action
+ defined by `rule` is not enforced by the service's
+ policy enforcement logic. For example, Keystone v2
+ performs an admin check for most of its endpoints. If
+ True, `rule` is effectively ignored.
+ :param expected_error_code: Overrides default value of 403 (Forbidden)
+ with endpoint-specific error code. Currently
+ only supports 403 and 404. Support for 404
+ is needed because some services, like Neutron,
+ intentionally throw a 404 for security reasons.
+
+ :raises NotFound: if `service` is invalid or
+ if Tempest credentials cannot be found.
+ :raises Forbidden: for bullet (2) above.
+ :raises RbacOverPermission: for bullet (3) above.
+ """
def decorator(func):
def wrapper(*args, **kwargs):
try:
@@ -41,8 +71,19 @@
LOG.error(msg)
raise rbac_exceptions.RbacResourceSetupFailed(msg)
- authority = rbac_auth.RbacAuthority(tenant_id, user_id, service)
- allowed = authority.get_permission(rule, CONF.rbac.rbac_test_role)
+ if admin_only:
+ LOG.info("As admin_only is True, only admin role should be "
+ "allowed to perform the API. Skipping oslo.policy "
+ "check for policy action {0}.".format(rule))
+ allowed = CONF.rbac.rbac_test_role == 'admin'
+ else:
+ authority = rbac_auth.RbacAuthority(tenant_id, user_id,
+ service)
+ allowed = authority.get_permission(rule,
+ CONF.rbac.rbac_test_role)
+
+ expected_exception, irregular_msg = _get_exception_type(
+ expected_error_code)
try:
func(*args)
@@ -52,7 +93,7 @@
raise exceptions.NotFound(
"%s RbacInvalidService was: %s" %
(msg, e))
- except exceptions.Forbidden as e:
+ except expected_exception as e:
if allowed:
msg = ("Role %s was not allowed to perform %s." %
(CONF.rbac.rbac_test_role, rule))
@@ -60,6 +101,8 @@
raise exceptions.Forbidden(
"%s exception was: %s" %
(msg, e))
+ if irregular_msg:
+ LOG.warning(irregular_msg.format(rule, service))
except rbac_exceptions.RbacActionFailed as e:
if allowed:
msg = ("Role %s was not allowed to perform %s." %
@@ -80,3 +123,23 @@
switchToRbacRole=False)
return wrapper
return decorator
+
+
+def _get_exception_type(expected_error_code):
+ expected_exception = None
+ irregular_msg = None
+ supported_error_codes = [403, 404]
+ if expected_error_code == 403:
+ expected_exception = exceptions.Forbidden
+ elif expected_error_code == 404:
+ expected_exception = exceptions.NotFound
+ irregular_msg = ("NotFound exception was caught for policy action "
+ "{0}. The service {1} throws a 404 instead of a 403, "
+ "which is irregular.")
+ else:
+ msg = ("Please pass an expected error code. Currently "
+ "supported codes: {0}".format(str(supported_error_codes)))
+ LOG.error(msg)
+ raise rbac_exceptions.RbacInvalidErrorCode()
+
+ return expected_exception, irregular_msg
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index abbb435..db648df 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+import oslo_utils.uuidutils as uuid_utils
import six
import time
@@ -87,12 +88,21 @@
raise
finally:
- if BaseTestCase.get_identity_version() != 'v3':
- test_obj.auth_provider.clear_auth()
- # Sleep to avoid 401 errors caused by rounding in timing of
- # fernet token creation.
+ # NOTE(felipemonteiro): These two comments below are copied from
+ # tempest.api.identity.v2/v3.test_users.
+ #
+ # Reset auth again to verify the password restore does work.
+ # Clear auth restores the original credentials and deletes
+ # cached auth data.
+ test_obj.auth_provider.clear_auth()
+ # Fernet tokens are not subsecond aware and Keystone should only be
+ # precise to the second. Sleep to ensure we are passing the second
+ # boundary before attempting to authenticate. If token is of type
+ # uuid, then do not sleep.
+ if not uuid_utils.is_uuid_like(cls.creds_client.
+ identity_client.token):
time.sleep(1)
- test_obj.auth_provider.set_auth()
+ test_obj.auth_provider.set_auth()
def _clear_user_roles(cls, user_id, tenant_id):
roles = cls.creds_client.roles_client.list_user_roles_on_project(
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
index 356a74a..1704644 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
@@ -13,18 +13,17 @@
# License for the specific language governing permissions and limitations
# under the License.
+from oslo_config import cfg
from oslo_log import log
-from tempest import config
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest.lib import exceptions
+from tempest import test
-from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
-CONF = config.CONF
+CONF = cfg.CONF
LOG = log.getLogger(__name__)
@@ -38,29 +37,27 @@
@classmethod
def skip_checks(cls):
super(FlavorAccessAdminRbacTest, cls).skip_checks()
- if not CONF.compute_feature_enabled.api_extensions:
- raise cls.skipException(
- '%s skipped as no compute extensions enabled' % cls.__name__)
+ if not test.is_extension_enabled('OS-FLV-EXT-DATA', 'compute'):
+ msg = "%s skipped as OS-FLV-EXT-DATA extension not enabled."\
+ % cls.__name__
+ raise cls.skipException(msg)
@classmethod
def resource_setup(cls):
super(FlavorAccessAdminRbacTest, cls).resource_setup()
cls.flavor_id = cls._create_flavor(is_public=False)['id']
+ cls.public_flavor_id = CONF.compute.flavor_ref
cls.tenant_id = cls.auth_provider.credentials.tenant_id
@decorators.idempotent_id('a2bd3740-765d-4c95-ac98-9e027378c75e')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-flavor-access")
- def test_list_flavor_access(self):
+ def test_show_flavor(self):
+ # NOTE(felipemonteiro): show_flavor enforces the specified policy
+ # action, but only works if a public flavor is passed.
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.client.list_flavor_access(self.flavor_id)
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.client.show_flavor(self.public_flavor_id)['flavor']
@decorators.idempotent_id('39cb5c8f-9990-436f-9282-fc76a41d9bac')
@rbac_rule_validation.action(
@@ -69,7 +66,8 @@
def test_add_flavor_access(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.add_flavor_access(
- flavor_id=self.flavor_id, tenant_id=self.tenant_id)
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)[
+ 'flavor_access']
self.addCleanup(self.client.remove_flavor_access,
flavor_id=self.flavor_id, tenant_id=self.tenant_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_instance_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_instance_actions_rbac.py
index 2903342..dcf3c90 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_instance_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_instance_actions_rbac.py
@@ -16,6 +16,7 @@
from tempest.lib import decorators
from tempest import test
+from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
@@ -54,5 +55,7 @@
rule="os_compute_api:os-instance-actions:events")
def test_get_instance_action(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.client.show_instance_action(
+ instance_action = self.client.show_instance_action(
self.server['id'], self.request_id)['instanceAction']
+ if 'events' not in instance_action:
+ raise rbac_exceptions.RbacActionFailed
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
index 0e1b00b..d466ded 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
@@ -18,6 +18,8 @@
from tempest.common import waiters
from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
from tempest import test
@@ -36,17 +38,34 @@
def setup_clients(cls):
super(ServerActionsRbacTest, cls).setup_clients()
cls.client = cls.servers_client
+ cls.snapshots_client = cls.snapshots_extensions_client
@classmethod
def resource_setup(cls):
cls.set_validation_resources()
super(ServerActionsRbacTest, cls).resource_setup()
+ # Create test server
cls.server_id = cls.create_test_server(wait_until='ACTIVE',
validatable=True)['id']
cls.flavor_ref = CONF.compute.flavor_ref
cls.flavor_ref_alt = CONF.compute.flavor_ref_alt
cls.image_ref = CONF.compute.image_ref
+ # Create a volume
+ volume_name = data_utils.rand_name(cls.__name__ + '-volume')
+ name_field = 'name'
+ if not CONF.volume_feature_enabled.api_v2:
+ name_field = 'display_name'
+
+ params = {name_field: volume_name,
+ 'imageRef': CONF.compute.image_ref,
+ 'size': CONF.volume.volume_size}
+ volume = cls.volumes_client.create_volume(**params)['volume']
+ waiters.wait_for_volume_resource_status(cls.volumes_client,
+ volume['id'], 'available')
+ cls.volumes.append(volume)
+ cls.volume_id = volume['id']
+
def setUp(self):
super(ServerActionsRbacTest, self).setUp()
try:
@@ -64,6 +83,56 @@
self.__class__.server_id = self.rebuild_server(
self.server_id, validatable=True)
+ @classmethod
+ def resource_cleanup(cls):
+ # If a test case creates an image from a server that is created with
+ # a volume, a volume snapshot will automatically be created by default.
+ # We need to delete the volume snapshot.
+ try:
+ body = cls.snapshots_extensions_client.list_snapshots()
+ volume_snapshots = body['snapshots']
+ except Exception:
+ LOG.info("Cannot retrieve snapshots for cleanup.")
+ else:
+ for snapshot in volume_snapshots:
+ if snapshot['volumeId'] == cls.volume_id:
+ # Wait for snapshot status to become 'available' before
+ # deletion
+ waiters.wait_for_volume_resource_status(
+ cls.snapshots_client, snapshot['id'], 'available')
+ test_utils.call_and_ignore_notfound_exc(
+ cls.snapshots_client.delete_snapshot, snapshot['id'])
+
+ for snapshot in volume_snapshots:
+ if snapshot['volumeId'] == cls.volume_id:
+ test_utils.call_and_ignore_notfound_exc(
+ cls.snapshots_client.wait_for_resource_deletion,
+ snapshot['id'])
+
+ super(ServerActionsRbacTest, cls).resource_cleanup()
+
+ def _create_test_server_with_volume(self, volume_id):
+ # Create a server with the volume created earlier
+ server_name = data_utils.rand_name(self.__class__.__name__ + "-server")
+ bd_map_v2 = [{'uuid': volume_id,
+ 'source_type': 'volume',
+ 'destination_type': 'volume',
+ 'boot_index': 0,
+ 'delete_on_termination': True}]
+ device_mapping = {'block_device_mapping_v2': bd_map_v2}
+
+ # Since the server is booted from volume, the imageRef does not need
+ # to be specified.
+ server = self.client.create_server(name=server_name,
+ imageRef='',
+ flavorRef=CONF.compute.flavor_ref,
+ **device_mapping)['server']
+
+ waiters.wait_for_server_status(self.client, server['id'], 'ACTIVE')
+
+ self.servers.append(server)
+ return server
+
def _test_start_server(self):
self.client.start_server(self.server_id)
waiters.wait_for_server_status(self.client, self.server_id,
@@ -206,6 +275,29 @@
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_server(self.server_id)
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:servers:create_image")
+ @decorators.idempotent_id('ba0ac859-99f4-4055-b5e0-e0905a44d331')
+ def test_create_image(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+
+ # This function will also call show image
+ self.create_image_from_server(self.server_id,
+ wait_until='ACTIVE')
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:servers:create_image:allow_volume_backed")
+ @decorators.idempotent_id('8b869f73-49b3-4cc4-a0ce-ef64f8e1d6f9')
+ def test_create_image_volume_backed(self):
+ server = self._create_test_server_with_volume(self.volume_id)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+
+ # This function will also call show image
+ self.create_image_from_server(server['id'],
+ wait_until='ACTIVE')
+
class ServerActionsV216RbacTest(rbac_base.BaseV2ComputeRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
index 3eab333..5f90c97 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
@@ -38,9 +38,9 @@
@classmethod
def resource_setup(cls):
super(ServerPasswordRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server()
+ cls.server = cls.create_test_server(wait_until="ACTIVE")
- @decorators.idempotent_id('43ad7995-2f12-41cd-8ef1-bae9ffc36818')
+ @decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-server-password")
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
index ccde9bd..ba04d06 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
@@ -54,7 +54,8 @@
return endpoint
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_endpoint")
+ rule="identity:create_endpoint",
+ admin_only=True)
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd124')
def test_create_endpoint(self):
@@ -67,7 +68,8 @@
self._create_endpoint()
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_endpoint")
+ rule="identity:delete_endpoint",
+ admin_only=True)
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd125')
def test_delete_endpoint(self):
@@ -81,7 +83,8 @@
self.endpoints_client.delete_endpoint(endpoint['endpoint']['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_endpoints")
+ rule="identity:list_endpoints",
+ admin_only=True)
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd126')
def test_list_endpoints(self):
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
index 9c4ab33..dd0af46 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -25,7 +25,8 @@
class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_project")
+ rule="identity:create_project",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d904')
def test_create_project(self):
@@ -38,7 +39,8 @@
self._create_tenant()
@rbac_rule_validation.action(service="keystone",
- rule="identity:update_project")
+ rule="identity:update_project",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d905')
def test_update_project(self):
@@ -53,7 +55,8 @@
description="Changed description")
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_project")
+ rule="identity:delete_project",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d906')
def test_delete_project(self):
@@ -67,7 +70,8 @@
self.tenants_client.delete_tenant(tenant['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_project")
+ rule="identity:get_project",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d907')
def test_get_project(self):
@@ -82,7 +86,8 @@
self.tenants_client.show_tenant(tenant['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_projects")
+ rule="identity:list_projects",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d908')
def test_get_all_projects(self):
@@ -94,9 +99,10 @@
self.tenants_client.list_tenants()
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_user_projects")
+ rule="identity:list_user_projects",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d909')
- def test_list_users_for_tenant(self):
+ def test_list_project_users(self):
"""Get Users of a Project Test
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
index 74a423e..aeb8d05 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
@@ -53,7 +53,8 @@
tenant['id'], user['id'], role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_role")
+ rule="identity:create_role",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d904')
def test_create_role(self):
@@ -66,7 +67,8 @@
self._create_role()
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_role")
+ rule="identity:delete_role",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d905')
def test_delete_role(self):
@@ -80,7 +82,8 @@
self.roles_client.delete_role(role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_role")
+ rule="identity:get_role",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d906')
def test_show_role(self):
@@ -94,7 +97,8 @@
self.roles_client.show_role(role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_roles")
+ rule="identity:list_roles",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d907')
def test_list_roles(self):
@@ -106,7 +110,8 @@
self.roles_client.list_roles()
@rbac_rule_validation.action(service="keystone",
- rule="identity:add_role_to_user")
+ rule="identity:add_role_to_user",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d908')
def test_create_role_on_project(self):
@@ -119,7 +124,8 @@
self._create_role_on_project(tenant, user, role)
@rbac_rule_validation.action(service="keystone",
- rule="identity:remove_role_from_user")
+ rule="identity:remove_role_from_user",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d909')
def test_delete_role_from_user_on_project(self):
@@ -135,7 +141,8 @@
tenant['id'], user['id'], role['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_user_roles")
+ rule="identity:get_user_roles",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d90a')
def test_list_user_roles_on_project(self):
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
index 6ba60fa..bc3dae8 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
@@ -30,7 +30,8 @@
cls.services_client = cls.os.identity_services_client
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_service")
+ rule="identity:create_service",
+ admin_only=True)
@decorators.idempotent_id('370050f6-d271-4fb4-abc5-4de1d6dfbad2')
def test_create_service(self):
"""Create Service Test
@@ -41,7 +42,8 @@
self._create_service()
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_service")
+ rule="identity:delete_service",
+ admin_only=True)
@decorators.idempotent_id('f6c64fc3-6a1f-423e-af91-e411add3a384')
def test_delete_service(self):
"""Delete Service Test
@@ -54,7 +56,8 @@
self.services_client.delete_service(service_id)
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_service")
+ rule="identity:get_service",
+ admin_only=True)
@decorators.idempotent_id('504d62bb-97d7-445e-9d6d-b1945a7c9e08')
def test_show_service(self):
"""Show Service Test
@@ -67,7 +70,8 @@
self.services_client.show_service(service_id)
@rbac_rule_validation.action(service="keystone",
- rule="identity:list_services")
+ rule="identity:list_services",
+ admin_only=True)
@decorators.idempotent_id('d7dc461d-51ad-48e0-9cd2-33add1b88de9')
def test_list_services(self):
"""List all the services
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
index a94a811..da5cdce 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
@@ -23,14 +23,16 @@
class IdentityUserV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
@rbac_rule_validation.action(service="keystone",
- rule="identity:create_user")
+ rule="identity:create_user",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d904')
def test_create_user(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_user()
@rbac_rule_validation.action(service="keystone",
- rule="identity:update_user")
+ rule="identity:update_user",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d905')
def test_update_user(self):
user = self._create_user()
@@ -39,7 +41,8 @@
self.users_client.update_user(user['id'], email="changedUser@xyz.com")
@rbac_rule_validation.action(service="keystone",
- rule="identity:set_user_enabled")
+ rule="identity:set_user_enabled",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d9a1')
def test_update_user_enabled(self):
user = self._create_user()
@@ -48,7 +51,8 @@
self.users_client.update_user_enabled(user['id'], enabled=True)
@rbac_rule_validation.action(service="keystone",
- rule="identity:delete_user")
+ rule="identity:delete_user",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d906')
def test_delete_user(self):
user = self._create_user()
@@ -57,14 +61,16 @@
self.users_client.delete_user(user['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_users")
+ rule="identity:get_users",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d907')
def test_list_users(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.users_client.list_users()
@rbac_rule_validation.action(service="keystone",
- rule="identity:get_user")
+ rule="identity:get_user",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d908')
def test_show_user(self):
user = self._create_user()
@@ -73,7 +79,8 @@
self.users_client.show_user(user['id'])
@rbac_rule_validation.action(service="keystone",
- rule="identity:change_password")
+ rule="identity:change_password",
+ admin_only=True)
@decorators.idempotent_id('0f148510-63bf-11e6-1342-080044d0d909')
def test_update_user_password(self):
user = self._create_user()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
index 7a67459..47f6590 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
@@ -38,43 +38,153 @@
def setup_clients(cls):
super(BaseIdentityV3RbacAdminTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
- cls.creds_client = cls.os.credentials_client
- cls.services_client = cls.os.identity_services_v3_client
- cls.endpoints_client = cls.os.endpoints_v3_client
- cls.groups_client = cls.os.groups_client
- cls.policies_client = cls.os.policies_client
+
cls.rbac_utils = rbac_utils()
cls.rbac_utils.switch_role(cls, switchToRbacRole=False)
- def _create_service(self):
- """Creates a service for test."""
- name = data_utils.rand_name('service')
- serv_type = data_utils.rand_name('type')
- desc = data_utils.rand_name('description')
- service = self.services_client \
- .create_service(name=name,
- type=serv_type,
- description=desc)['service']
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.services_client.delete_service, service['id'])
- return service
+ cls.creds_client = cls.os.credentials_client
+ cls.domains_client = cls.os.domains_client
+ cls.endpoints_client = cls.os.endpoints_v3_client
+ cls.groups_client = cls.os.groups_client
+ cls.projects_client = cls.os.projects_client
+ cls.policies_client = cls.os.policies_client
+ cls.regions_client = cls.os.regions_client
+ cls.roles_client = cls.os.roles_v3_client
+ cls.services_client = cls.os.identity_services_v3_client
+ cls.users_client = cls.os.users_v3_client
- def _setup_test_project(self):
+ def setup_test_credential(self, user=None):
+ """Creates a user, project, and credential for test."""
+ keys = [data_utils.rand_uuid_hex(),
+ data_utils.rand_uuid_hex()]
+ blob = '{"access": "%s", "secret": "%s"}' % (keys[0], keys[1])
+ credential = self.creds_client.create_credential(
+ user_id=user['id'],
+ project_id=user['project_id'],
+ blob=blob,
+ type='ec2')['credential']
+
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.creds_client.delete_credential,
+ credential['id'])
+
+ return credential
+
+ def setup_test_domain(self):
+ """Set up a test domain."""
+ domain = self.domains_client.create_domain(
+ name=data_utils.rand_name('test_domain'),
+ description=data_utils.rand_name('desc'))['domain']
+ # Delete the domain at the end of the test, but the domain must be
+ # disabled first (cleanup called in reverse order)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.domains_client.delete_domain,
+ domain['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.domains_client.update_domain,
+ domain['id'],
+ enabled=False)
+ return domain
+
+ def setup_test_endpoint(self, service=None):
+ """Creates a service and an endpoint for test."""
+ interface = 'public'
+ url = data_utils.rand_url()
+ # Endpoint creation requires a service
+ if service is None:
+ service = self.setup_test_service()
+ endpoint = self.endpoints_client.create_endpoint(
+ service_id=service['id'],
+ interface=interface,
+ url=url)['endpoint']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.endpoints_client.delete_endpoint,
+ endpoint['id'])
+ return endpoint
+
+ def setup_test_group(self):
+ """Creates a group for test."""
+ name = data_utils.rand_name('test_group')
+ group = self.groups_client.create_group(name=name)['group']
+ # Delete the group at the end of the test
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.groups_client.delete_group,
+ group['id'])
+ return group
+
+ def setup_test_policy(self):
+ """Creates a policy for test."""
+ blob = data_utils.rand_name('test_blob')
+ policy_type = data_utils.rand_name('PolicyType')
+ policy = self.policies_client.create_policy(
+ blob=blob,
+ policy=policy_type,
+ type="application/json")['policy']
+
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.policies_client.delete_policy,
+ policy['id'])
+ return policy
+
+ def setup_test_project(self):
"""Set up a test project."""
project = self.projects_client.create_project(
name=data_utils.rand_name('test_project'),
description=data_utils.rand_name('desc'))['project']
# Delete the project at the end of the test
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.projects_client.delete_project, project['id'])
+ self.projects_client.delete_project,
+ project['id'])
return project
- def _create_test_user(self, **kwargs):
- if kwargs['password'] is None:
- user_password = data_utils.rand_password()
- kwargs['password'] = user_password
- user = self.users_client.create_user(**kwargs)['user']
+ def setup_test_region(self):
+ """Creates a region for test."""
+ description = data_utils.rand_name('test_region_desc')
+
+ region = self.regions_client.create_region(
+ description=description)['region']
+
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.regions_client.delete_region,
+ region['id'])
+ return region
+
+ def setup_test_role(self):
+ """Set up a test role."""
+ name = data_utils.rand_name('test_role')
+ role = self.roles_client.create_role(name=name)['role']
+ # Delete the role at the end of the test
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role,
+ role['id'])
+ return role
+
+ def setup_test_service(self):
+ """Setup a test service."""
+ name = data_utils.rand_name('service')
+ serv_type = data_utils.rand_name('type')
+ desc = data_utils.rand_name('description')
+ service = self.services_client.create_service(
+ name=name,
+ type=serv_type,
+ description=desc)['service']
+ # Delete the service at the end of the test
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.services_client.delete_service,
+ service['id'])
+ return service
+
+ def setup_test_user(self, password=None, **kwargs):
+ """Set up a test user."""
+ username = data_utils.rand_name('test_user')
+ email = username + '@testmail.tm'
+ user = self.users_client.create_user(
+ name=username,
+ email=email,
+ password=password,
+ **kwargs)['user']
# Delete the user at the end of the test
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.users_client.delete_user, user['id'])
+ self.users_client.delete_user,
+ user['id'])
return user
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
index 7812ea8..1262c2e 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -14,7 +14,6 @@
# under the License.
from tempest.lib.common.utils import data_utils
-from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
@@ -24,67 +23,42 @@
class IdentityCredentialsV3AdminRbacTest(
rbac_base.BaseIdentityV3RbacAdminTest):
- def _create_credential(self):
- """Creates a user, project, and credential for test."""
- user = self.setup_test_user()
- user_id = user['id']
- project_id = user['project_id']
- keys = [data_utils.rand_name('Access'),
- data_utils.rand_name('Secret')]
- blob = "{\"access\": \"%s\", \"secret\": \"%s\"}" % (
- keys[0], keys[1])
- credential = self.creds_client \
- .create_credential(user_id=user_id,
- project_id=project_id,
- blob=blob,
- type='ec2')['credential']
-
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.creds_client.delete_credential, credential['id'])
-
- return (project_id, credential)
+ def _create_user_project_and_credential(self):
+ project = self.setup_test_project()
+ user = self.setup_test_user(project_id=project['id'])
+ credential = self.setup_test_credential(user=user)
+ return credential
@rbac_rule_validation.action(service="keystone",
rule="identity:create_credential")
@decorators.idempotent_id('c1ab6d34-c59f-4ae1-bae9-bb3c1089b48e')
def test_create_credential(self):
- """Create a Credential.
-
- RBAC test for Keystone: identity:create_credential
- """
+ project = self.setup_test_project()
+ user = self.setup_test_user(project_id=project['id'])
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self._create_credential()
+ self.setup_test_credential(user=user)
@rbac_rule_validation.action(service="keystone",
rule="identity:update_credential")
@decorators.idempotent_id('cfb05ce3-bffb-496e-a3c2-9515d730da63')
def test_update_credential(self):
- """Update a Credential.
-
- RBAC test for Keystone: identity:update_credential
- """
- project_id, credential = self._create_credential()
- # Update blob keys
- new_keys = [data_utils.rand_name('NewAccess'),
- data_utils.rand_name('NewSecret')]
+ credential = self._create_user_project_and_credential()
+ new_keys = [data_utils.rand_uuid_hex(),
+ data_utils.rand_uuid_hex()]
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.creds_client \
- .update_credential(credential['id'],
- credential=credential,
- access_key=new_keys[0],
- secret_key=new_keys[1],
- project_id=project_id)['credential']
+ self.creds_client.update_credential(
+ credential['id'],
+ credential=credential,
+ access_key=new_keys[0],
+ secret_key=new_keys[1],
+ project_id=credential['project_id'])['credential']
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_credential")
@decorators.idempotent_id('87ab42af-8d41-401b-90df-21e72919fcde')
def test_delete_credential(self):
- """Delete a Credential.
-
- RBAC test for Keystone: identity:delete_credential
- """
- _, credential = self._create_credential()
+ credential = self._create_user_project_and_credential()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.creds_client.delete_credential(credential['id'])
@@ -93,11 +67,7 @@
rule="identity:get_credential")
@decorators.idempotent_id('1b6eeae6-f1e8-4cdf-8903-1c002b1fc271')
def test_show_credential(self):
- """Show/Get a Credential.
-
- RBAC test for Keystone: identity:get_credential
- """
- _, credential = self._create_credential()
+ credential = self._create_user_project_and_credential()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.creds_client.show_credential(credential['id'])
@@ -106,9 +76,5 @@
rule="identity:list_credentials")
@decorators.idempotent_id('3de303e2-12a7-4811-805a-f18906472038')
def test_list_credentials(self):
- """List all Credentials.
-
- RBAC test for Keystone: identity:list_credentials
- """
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.creds_client.list_credentials()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
index e416b15..a18a056 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
@@ -13,69 +13,41 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib.common.utils import data_utils
-from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-CONF = config.CONF
-
class IdentityEndpointsV3AdminRbacTest(
rbac_base.BaseIdentityV3RbacAdminTest):
- def _create_endpoint(self):
- """Creates a service and an endpoint for test."""
- interface = 'public'
- url = data_utils.rand_url()
- service = self._create_service()
- endpoint = self.endpoints_client \
- .create_endpoint(service_id=service['id'],
- interface=interface,
- url=url)['endpoint']
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.endpoints_client.delete_endpoint, endpoint['id'])
- return (service, endpoint)
-
@rbac_rule_validation.action(service="keystone",
rule="identity:create_endpoint")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd127')
def test_create_endpoint(self):
- """Create an endpoint.
-
- RBAC test for Keystone: identity:create_endpoint
- """
+ service = self.setup_test_service()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self._create_endpoint()
+ self.setup_test_endpoint(service=service)
@rbac_rule_validation.action(service="keystone",
rule="identity:update_endpoint")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd128')
def test_update_endpoint(self):
- """Update an endpoint.
-
- RBAC test for Keystone: identity:update_endpoint
- """
- service, endpoint = self._create_endpoint()
+ endpoint = self.setup_test_endpoint()
new_url = data_utils.rand_url()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.endpoints_client.update_endpoint(endpoint["id"],
- service_id=service['id'],
- url=new_url)
+ self.endpoints_client.update_endpoint(
+ endpoint["id"],
+ url=new_url)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_endpoint")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd129')
def test_delete_endpoint(self):
- """Delete an endpoint.
-
- RBAC test for Keystone: identity:delete_endpoint
- """
- _, endpoint = self._create_endpoint()
+ endpoint = self.setup_test_endpoint()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.endpoints_client.delete_endpoint(endpoint['id'])
@@ -84,11 +56,7 @@
rule="identity:get_endpoint")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd130')
def test_show_endpoint(self):
- """Show/Get an endpoint.
-
- RBAC test for Keystone: identity:get_endpoint
- """
- _, endpoint = self._create_endpoint()
+ endpoint = self.setup_test_endpoint()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.endpoints_client.show_endpoint(endpoint['id'])
@@ -97,9 +65,5 @@
rule="identity:list_endpoints")
@decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd131')
def test_list_endpoints(self):
- """Create a Domain.
-
- RBAC test for Keystone: identity:create_domain
- """
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.endpoints_client.list_endpoints()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
index a61149e..5b5c079 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
@@ -13,61 +13,45 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib.common.utils import data_utils
-from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-CONF = config.CONF
-
class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
- def _create_group(self):
- """Creates a group for test."""
- name = data_utils.rand_name('group')
- group = self.groups_client.create_group(name=name)['group']
-
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.groups_client.delete_group, group['id'])
- return group
-
- def _add_user_to_group(self, group_id):
+ def _create_user_and_add_to_new_group(self):
"""Creates a user and adds to a group for test."""
- user_name = data_utils.rand_name('User')
- user = self._create_test_user(name=user_name, password=None)
-
- self.groups_client.add_group_user(group_id, user['id'])
-
- return user['id']
+ group = self.setup_test_group()
+ user = self.setup_test_user()
+ self.groups_client.add_group_user(group['id'], user['id'])
+ return (group['id'], user['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:create_group")
@decorators.idempotent_id('88377f51-9074-4d64-a22f-f8931d048c9a')
def test_create_group(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self._create_group()
+ self.setup_test_group()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_group")
@decorators.idempotent_id('790fb7be-a657-4a64-9b83-c43425cf180b')
def test_update_group(self):
- group = self._create_group()
- # Update Group
- new_name = data_utils.rand_name('UpdateGroup')
+ group = self.setup_test_group()
+ new_group_name = data_utils.rand_name('group')
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.update_group(group['id'],
- name=new_name)
+ name=new_group_name)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_group")
@decorators.idempotent_id('646b52da-2a5f-486a-afb0-51fdc86a6c12')
def test_delete_group(self):
- group = self._create_group()
+ group = self.setup_test_group()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.delete_group(group['id'])
@@ -76,7 +60,7 @@
rule="identity:get_group")
@decorators.idempotent_id('d530f0ad-42b9-429b-ad05-e53ac95a040e')
def test_show_group(self):
- group = self._create_group()
+ group = self.setup_test_group()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.show_group(group['id'])
@@ -92,26 +76,26 @@
rule="identity:add_user_to_group")
@decorators.idempotent_id('fdd49b74-3ed3-4736-9f0e-9027a32017ac')
def test_add_user_group(self):
- group = self._create_group()
+ group = self.setup_test_group()
+ user = self.setup_test_user()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self._add_user_to_group(group['id'])
+ self.groups_client.add_group_user(group['id'], user['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:remove_user_from_group")
@decorators.idempotent_id('8a60d11c-7d2b-47e5-a0f3-9ea900ca66fe')
def test_remove_user_group(self):
- group = self._create_group()
- user_id = self._add_user_to_group(group['id'])
+ group_id, user_id = self._create_user_and_add_to_new_group()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.groups_client.delete_group_user(group['id'], user_id)
+ self.groups_client.delete_group_user(group_id, user_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:list_users_in_group")
@decorators.idempotent_id('b3e394a7-079e-4a0d-a4ff-9b266293d1ee')
def test_list_user_group(self):
- group = self._create_group()
+ group = self.setup_test_group()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.groups_client.list_group_users(group['id'])
@@ -120,8 +104,7 @@
rule="identity:check_user_in_group")
@decorators.idempotent_id('d3603241-fd87-4a2d-94f9-f32469d1aaba')
def test_check_user_group(self):
- group = self._create_group()
- user_id = self._add_user_to_group(group['id'])
+ group_id, user_id = self._create_user_and_add_to_new_group()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.groups_client.check_group_user_existence(group['id'], user_id)
+ self.groups_client.check_group_user_existence(group_id, user_id)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
index b115fb0..792ddaa 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
@@ -13,55 +13,38 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib.common.utils import data_utils
-from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-CONF = config.CONF
-
class IdentityPoliciesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
- def _create_policy(self):
- """Creates a policy for test."""
- blob = data_utils.rand_name('BlobName')
- policy_type = data_utils.rand_name('PolicyType')
- policy = self.policies_client.create_policy(
- blob=blob,
- policy=policy_type,
- type="application/json")['policy']
-
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.policies_client.delete_policy, policy['id'])
- return policy
-
@rbac_rule_validation.action(service="keystone",
rule="identity:create_policy")
@decorators.idempotent_id('de2f7ecb-fbf0-41f3-abf4-b97b5e082fd5')
def test_create_policy(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self._create_policy()
+ self.setup_test_policy()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_policy")
@decorators.idempotent_id('9cfed3c6-0b27-4d15-be67-e06e0cfb01b9')
def test_update_policy(self):
- policy = self._create_policy()
- update_type = data_utils.rand_name('UpdatedPolicyType')
+ policy = self.setup_test_policy()
+ new_policy_type = data_utils.rand_name('policy_type')
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.policies_client.update_policy(policy['id'],
- type=update_type)
+ type=new_policy_type)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_policy")
@decorators.idempotent_id('dcd93f75-1e1b-4fbe-bee0-9c4c7b201735')
def test_delete_policy(self):
- policy = self._create_policy()
+ policy = self.setup_test_policy()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.policies_client.delete_policy(policy['id'])
@@ -70,7 +53,7 @@
rule="identity:get_policy")
@decorators.idempotent_id('d7e415c2-945a-4504-9571-0e2d0dd8594b')
def test_show_policy(self):
- policy = self._create_policy()
+ policy = self.setup_test_policy()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.policies_client.show_policy(policy['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
index d0b843d..fbbc81b 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
@@ -13,15 +13,12 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-CONF = config.CONF
-
class IdentityProjectV3AdminRbacTest(
rbac_base.BaseIdentityV3RbacAdminTest):
@@ -30,64 +27,41 @@
rule="identity:create_project")
@decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d904')
def test_create_project(self):
- """Create a Project.
-
- RBAC test for Keystone: identity:create_project
- """
- name = data_utils.rand_name('project')
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- project = self.non_admin_projects_client \
- .create_project(name)['project']
- self.addCleanup(self.projects_client.delete_project, project['id'])
+ self.setup_test_project()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_project")
@decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d905')
def test_update_project(self):
- """Update a Project.
-
- RBAC test for Keystone: identity:update_project
- """
- project = self._setup_test_project()
+ project = self.setup_test_project()
+ new_desc = data_utils.rand_name('description')
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_projects_client \
- .update_project(project['id'],
- description="Changed description")
+ self.projects_client.update_project(project['id'],
+ description=new_desc)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_project")
@decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d906')
def test_delete_project(self):
- """Delete a Project.
-
- RBAC test for Keystone: identity:delete_project
- """
- project = self._setup_test_project()
+ project = self.setup_test_project()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_projects_client.delete_project(project['id'])
+ self.projects_client.delete_project(project['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_project")
@decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d907')
def test_show_project(self):
- """Show a project.
-
- RBAC test for Keystone: identity:get_project
- """
- project = self._setup_test_project()
+ project = self.setup_test_project()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_projects_client.show_project(project['id'])
+ self.projects_client.show_project(project['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_projects")
@decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d908')
def test_list_projects(self):
- """List all projects.
-
- RBAC test for Keystone: identity:list_projects
- """
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_projects_client.list_projects()
+ self.projects_client.list_projects()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
new file mode 100644
index 0000000..9e4886a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_regions_rbac.py
@@ -0,0 +1,66 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
+
+
+class IdentityRegionsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_region")
+ @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd119')
+ def test_create_region(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.setup_test_region()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:update_region")
+ @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd120')
+ def test_update_region(self):
+ region = self.setup_test_region()
+ new_description = data_utils.rand_name('test_update_region')
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.regions_client.update_region(region['id'],
+ description=new_description)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_region")
+ @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd121')
+ def test_delete_region(self):
+ region = self.setup_test_region()
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.regions_client.delete_region(region['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_region")
+ @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd122')
+ def test_show_region(self):
+ region = self.setup_test_region()
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.regions_client.show_region(region['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_regions")
+ @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd123')
+ def test_list_regions(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.regions_client.list_regions()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
index 1439f4f..1316be0 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
@@ -13,15 +13,12 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-CONF = config.CONF
-
class IdentitySericesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
@@ -29,23 +26,15 @@
rule="identity:create_service")
@decorators.idempotent_id('9a4bb317-f0bb-4005-8df0-4b672885b7c8')
def test_create_service(self):
- """Create a service.
-
- RBAC test for Keystone: identity:create_service
- """
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self._create_service()
+ self.setup_test_service()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_service")
@decorators.idempotent_id('b39447d1-2cf6-40e5-a899-46f287f2ecf0')
def test_update_service(self):
- """Update a service.
-
- RBAC test for Keystone: identity:update_service
- """
- service = self._create_service()
- new_name = data_utils.rand_name('new_test_name')
+ service = self.setup_test_service()
+ new_name = data_utils.rand_name('service')
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.update_service(service['id'],
@@ -57,11 +46,7 @@
rule="identity:delete_service")
@decorators.idempotent_id('177b991a-438d-4bef-8e9f-9c6cc5a1c9e8')
def test_delete_service(self):
- """Delete a service.
-
- RBAC test for Keystone: identity:delete_service
- """
- service = self._create_service()
+ service = self.setup_test_service()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.delete_service(service['id'])
@@ -70,11 +55,7 @@
rule="identity:get_service")
@decorators.idempotent_id('d89a9ac6-cd53-428d-84c0-5bc71f4a432d')
def test_show_service(self):
- """Show/Get a service.
-
- RBAC test for Keystone: identity:get_service
- """
- service = self._create_service()
+ service = self.setup_test_service()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.show_service(service['id'])
@@ -83,9 +64,5 @@
rule="identity:list_services")
@decorators.idempotent_id('706e6bea-3385-4718-919c-0b5121395806')
def test_list_services(self):
- """list all services.
-
- RBAC test for Keystone: identity:list_services
- """
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.services_client.list_services()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
index 66798cd..b07e982 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -13,126 +13,86 @@
# License for the specific language governing permissions and limitations
# under the License.
-from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
-CONF = config.CONF
-
class IdentityUserV3AdminRbacTest(
rbac_base.BaseIdentityV3RbacAdminTest):
+ @classmethod
+ def resource_setup(cls):
+ super(IdentityUserV3AdminRbacTest, cls).resource_setup()
+ cls.default_user_id = cls.auth_provider.credentials.user_id
+
@rbac_rule_validation.action(service="keystone",
rule="identity:create_user")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d904')
def test_create_user(self):
- """Creates a user.
-
- RBAC test for Keystone: identity:create_user
- """
- user_name = data_utils.rand_name('test_create_user')
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_users_client.create_user(name=user_name)
+ self.setup_test_user()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_user")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d905')
def test_update_user(self):
- """Updates a user.
-
- RBAC test for Keystone: identity:update_user
- """
- user_name = data_utils.rand_name('test_update_user')
- user = self._create_test_user(name=user_name, password=None)
+ user = self.setup_test_user()
+ new_email = data_utils.rand_name('user_email')
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_users_client.update_user(user['id'],
- name=user_name,
- email="changedUser@xyz.com")
+ self.users_client.update_user(user['id'],
+ name=user['name'],
+ email=new_email)
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_user")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d906')
def test_delete_user(self):
- """Get the list of users.
-
- RBAC test for Keystone: identity:delete_user
- """
- user_name = data_utils.rand_name('test_delete_user')
- user = self._create_test_user(name=user_name, password=None)
+ user = self.setup_test_user()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_users_client.delete_user(user['id'])
+ self.users_client.delete_user(user['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_users")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d907')
def test_list_users(self):
- """Get the list of users.
-
- RBAC test for Keystone: identity:list_users
- """
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_users_client.list_users()
+ self.users_client.list_users()
@rbac_rule_validation.action(service="keystone",
rule="identity:get_user")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d908')
- def test_show_user(self):
- """Get one user.
-
- RBAC test for Keystone: identity:get_user
- """
- user_name = data_utils.rand_name('test_get_user')
- user = self._create_test_user(name=user_name, password=None)
-
+ def test_show_own_user(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_users_client.show_user(user['id'])
+ self.users_client.show_user(self.default_user_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:change_password")
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d90a')
def test_change_password(self):
- """Update a user password
-
- RBAC test for Keystone: identity:change_password
- """
- user_name = data_utils.rand_name('test_change_password')
- user = self._create_test_user(name=user_name, password='nova')
+ original_password = data_utils.rand_password()
+ user = self.setup_test_user(password=original_password)
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_users_client \
- .update_user_password(user['id'],
- original_password='nova',
- password='neutron')
+ self.users_client.update_user_password(
+ user['id'],
+ original_password=original_password,
+ password=data_utils.rand_password())
@rbac_rule_validation.action(service="keystone",
rule="identity:list_groups_for_user")
@decorators.idempotent_id('bd5946d4-46d2-423d-a800-a3e7aabc18b3')
- def test_list_group_user(self):
- """Lists groups which a user belongs to.
-
- RBAC test for Keystone: identity:list_groups_for_user
- """
- user_name = data_utils.rand_name('User')
- user = self._create_test_user(name=user_name, password=None)
-
+ def test_list_own_user_group(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_users_client.list_user_groups(user['id'])
+ self.users_client.list_user_groups(self.default_user_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:list_user_projects")
@decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d909')
- def test_list_user_projects(self):
- """List User's Projects.
-
- RBAC test for Keystone: identity:list_user_projects
- """
- user = self.setup_test_user()
-
+ def test_list_own_user_projects(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.non_admin_users_client.list_user_projects(user['id'])
+ self.users_client.list_user_projects(self.default_user_id)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
index bbd5a79..7d99d55 100644
--- a/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
@@ -16,9 +16,7 @@
from oslo_log import log as logging
from tempest import config
from tempest.lib import decorators
-from tempest.lib import exceptions
-from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.image import rbac_base as base
@@ -79,7 +77,8 @@
self.alt_tenant_id)
@rbac_rule_validation.action(service="glance",
- rule="get_member")
+ rule="get_member",
+ expected_error_code=404)
@decorators.idempotent_id('c01fd308-6484-11e6-881e-080027d0d606')
def test_show_image_member(self):
@@ -87,24 +86,16 @@
RBAC test for the glance get_member policy
"""
- try:
- image_id = self.create_image()['id']
- self.image_member_client.create_image_member(
- image_id,
- member=self.alt_tenant_id)
+ image_id = self.create_image()['id']
+ self.image_member_client.create_image_member(
+ image_id,
+ member=self.alt_tenant_id)
- # Toggle role and get image member
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.image_member_client.show_image_member(
- image_id,
- self.alt_tenant_id)
- except exceptions.NotFound as e:
- '''If the role doesn't have access to an image, a 404 exception is
- thrown when the roles tries to show an image member'''
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the image and tries to show "
- "image members")
- raise rbac_exceptions.RbacActionFailed(e)
+ # Toggle role and get image member
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.image_member_client.show_image_member(
+ image_id,
+ self.alt_tenant_id)
@rbac_rule_validation.action(service="glance",
rule="modify_member")
diff --git a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
index d186f38..bd562ec 100644
--- a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -19,9 +19,7 @@
from tempest import config
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest.lib import exceptions
-from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
@@ -108,7 +106,9 @@
self.floating_ips_client.update_floatingip(
floating_ip['id'], port_id=None)
- @rbac_rule_validation.action(service="neutron", rule="get_floatingip")
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_floatingip",
+ expected_error_code=404)
@decorators.idempotent_id('f8846fd0-c976-48fe-a148-105303931b32')
def test_show_floating_ip(self):
"""Show floating IP.
@@ -117,18 +117,12 @@
"""
floating_ip = self._create_floatingip()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
-
- try:
- # Show floating IP
- self.floating_ips_client.show_floatingip(floating_ip['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ # Show floating IP
+ self.floating_ips_client.show_floatingip(floating_ip['id'])
@rbac_rule_validation.action(service="neutron",
- rule="delete_floatingip")
+ rule="delete_floatingip",
+ expected_error_code=404)
@decorators.idempotent_id('2611b068-30d4-4241-a78f-1b801a14db7e')
def test_delete_floating_ip(self):
"""Delete floating IP.
@@ -137,13 +131,5 @@
"""
floating_ip = self._create_floatingip()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
-
- try:
- # Delete the floating IP
- self.floating_ips_client.delete_floatingip(floating_ip['id'])
-
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ # Delete the floating IP
+ self.floating_ips_client.delete_floatingip(floating_ip['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
index 21c2f96..10a20f4 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
@@ -18,10 +18,8 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest.lib import exceptions
from tempest import test
-from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
@@ -81,7 +79,8 @@
self._create_metering_label_rule(self.label)
@rbac_rule_validation.action(service="neutron",
- rule="get_metering_label_rule")
+ rule="get_metering_label_rule",
+ expected_error_code=404)
@decorators.idempotent_id('e21b40c3-d44d-412f-84ea-836ca8603bcb')
def test_show_metering_label_rule(self):
"""Show metering label rule.
@@ -90,17 +89,12 @@
"""
label_rule = self._create_metering_label_rule(self.label)
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.metering_label_rules_client.show_metering_label_rule(
- label_rule['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.metering_label_rules_client.show_metering_label_rule(
+ label_rule['id'])
@rbac_rule_validation.action(service="neutron",
- rule="delete_metering_label_rule")
+ rule="delete_metering_label_rule",
+ expected_error_code=404)
@decorators.idempotent_id('e3adc88c-05c0-43a7-8e32-63947ae4890e')
def test_delete_metering_label_rule(self):
"""Delete metering label rule.
@@ -109,11 +103,5 @@
"""
label_rule = self._create_metering_label_rule(self.label)
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.metering_label_rules_client.delete_metering_label_rule(
- label_rule['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.metering_label_rules_client.delete_metering_label_rule(
+ label_rule['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
index 09e298c..eb17df4 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
@@ -17,10 +17,8 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest.lib import exceptions
from tempest import test
-from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
@@ -63,7 +61,8 @@
self._create_metering_label()
@rbac_rule_validation.action(service="neutron",
- rule="get_metering_label")
+ rule="get_metering_label",
+ expected_error_code=404)
@decorators.idempotent_id('c57f6636-c702-4755-8eac-5e73bc1f7d14')
def test_show_metering_label(self):
"""Show metering label.
@@ -72,16 +71,11 @@
"""
label = self._create_metering_label()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.metering_labels_client.show_metering_label(label['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.metering_labels_client.show_metering_label(label['id'])
@rbac_rule_validation.action(service="neutron",
- rule="delete_metering_label")
+ rule="delete_metering_label",
+ expected_error_code=404)
@decorators.idempotent_id('1621ccfe-2e3f-4d16-98aa-b620f9d00404')
def test_delete_metering_label(self):
"""Delete metering label.
@@ -90,10 +84,4 @@
"""
label = self._create_metering_label()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.metering_labels_client.delete_metering_label(label['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.metering_labels_client.delete_metering_label(label['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
index 518c71b..80f6270 100644
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
#
+
import netaddr
import random
@@ -21,7 +22,6 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest.lib import exceptions
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
@@ -36,25 +36,24 @@
@classmethod
def resource_setup(cls):
super(PortsRbacTest, cls).resource_setup()
- cls.admin_network = cls.create_network()
+ cls.network = cls.create_network()
# Create a subnet by admin user
cls.cidr = netaddr.IPNetwork(CONF.network.project_network_cidr)
- cls.admin_subnet = cls.create_subnet(cls.admin_network,
- cidr=cls.cidr,
- mask_bits=24)
- cls.admin_ip_range = netaddr.IPRange(
- cls.admin_subnet['allocation_pools'][0]['start'],
- cls.admin_subnet['allocation_pools'][0]['end'])
+ cls.subnet = cls.create_subnet(cls.network, cidr=cls.cidr,
+ mask_bits=24)
+ cls.ip_range = netaddr.IPRange(
+ cls.subnet['allocation_pools'][0]['start'],
+ cls.subnet['allocation_pools'][0]['end'])
# Create a port by admin user
- body = cls.ports_client.create_port(network_id=cls.admin_network['id'])
- cls.admin_port = body['port']
- cls.ports.append(cls.admin_port)
- ipaddr = cls.admin_port['fixed_ips'][0]['ip_address']
- cls.admin_port_ip_address = ipaddr
- cls.admin_port_mac_address = cls.admin_port['mac_address']
+ body = cls.ports_client.create_port(network_id=cls.network['id'])
+ cls.port = body['port']
+ cls.ports.append(cls.port)
+ ipaddr = cls.port['fixed_ips'][0]['ip_address']
+ cls.port_ip_address = ipaddr
+ cls.port_mac_address = cls.port['mac_address']
def _create_port(self, **post_body):
@@ -74,7 +73,7 @@
def test_create_port(self):
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- post_body = {'network_id': self.admin_network['id']}
+ post_body = {'network_id': self.network['id']}
self._create_port(**post_body)
@rbac_rule_validation.action(service="neutron",
@@ -82,7 +81,7 @@
@decorators.idempotent_id('a54bd6b8-a7eb-4101-bfe8-093930b0d660')
def test_create_port_binding_host_id(self):
- post_body = {'network_id': self.admin_network['id'],
+ post_body = {'network_id': self.network['id'],
'binding:host_id': "rbac_test_host"}
self.rbac_utils.switch_role(self, switchToRbacRole=True)
@@ -92,13 +91,18 @@
rule="create_port:fixed_ips")
@decorators.idempotent_id('2551e10d-006a-413c-925a-8c6f834c09ac')
def test_create_port_fixed_ips(self):
- # Pick an ip address within the allocation_pools range
- ip_address = random.choice(list(self.admin_ip_range))
+
+ # Pick an unused ip address to avoid IpAddressAlreadyAllocated
+ # exception.
+ current_ports = self.ports_client.list_ports()['ports']
+ in_use_ips = [p['fixed_ips'][0]['ip_address'] for p in current_ports]
+ unused_ip_range = list(set(self.ip_range) - set(in_use_ips))
+ ip_address = random.choice(unused_ip_range)
fixed_ips = [{'ip_address': ip_address},
- {'subnet_id': self.admin_subnet['id']}]
+ {'subnet_id': self.subnet['id']}]
- post_body = {'network_id': self.admin_network['id'],
+ post_body = {'network_id': self.network['id'],
'fixed_ips': fixed_ips}
self.rbac_utils.switch_role(self, switchToRbacRole=True)
@@ -109,7 +113,7 @@
@decorators.idempotent_id('aee6d0be-a7f3-452f-aefc-796b4eb9c9a8')
def test_create_port_mac_address(self):
- post_body = {'network_id': self.admin_network['id'],
+ post_body = {'network_id': self.network['id'],
'mac_address': data_utils.rand_mac_address()}
self.rbac_utils.switch_role(self, switchToRbacRole=True)
@@ -122,7 +126,7 @@
binding_profile = {"foo": "1"}
- post_body = {'network_id': self.admin_network['id'],
+ post_body = {'network_id': self.network['id'],
'binding:profile': binding_profile}
self.rbac_utils.switch_role(self, switchToRbacRole=True)
@@ -134,29 +138,22 @@
def test_create_port_allowed_address_pairs(self):
# Create port with allowed address pair attribute
- allowed_address_pairs = [{'ip_address': self.admin_port_ip_address,
- 'mac_address': self.admin_port_mac_address}]
+ allowed_address_pairs = [{'ip_address': self.port_ip_address,
+ 'mac_address': self.port_mac_address}]
- post_body = {'network_id': self.admin_network['id'],
+ post_body = {'network_id': self.network['id'],
'allowed_address_pairs': allowed_address_pairs}
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_port(**post_body)
- @rbac_rule_validation.action(service="neutron", rule="get_port")
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_port",
+ expected_error_code=404)
@decorators.idempotent_id('a9d41cb8-78a2-4b97-985c-44e4064416f4')
def test_show_port(self):
-
- try:
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
-
- self.ports_client.show_port(self.admin_port['id'])
-
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.show_port(self.port['id'])
@rbac_rule_validation.action(service="neutron",
rule="get_port:binding:vif_type")
@@ -166,16 +163,14 @@
# Verify specific fields of a port
fields = ['binding:vif_type']
- try:
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.ports_client.show_port(self.admin_port['id'],
- fields=fields)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ retrieved_port = self.ports_client.show_port(
+ self.port['id'], fields=fields)['port']
+
+ # Rather than throwing a 403, the field is not present, so raise exc.
+ if fields[0] not in retrieved_port:
+ raise rbac_exceptions.RbacActionFailed
@rbac_rule_validation.action(service="neutron",
rule="get_port:binding:vif_details")
@@ -185,16 +180,14 @@
# Verify specific fields of a port
fields = ['binding:vif_details']
- try:
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.ports_client.show_port(self.admin_port['id'],
- fields=fields)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ retrieved_port = self.ports_client.show_port(
+ self.port['id'], fields=fields)['port']
+
+ # Rather than throwing a 403, the field is not present, so raise exc.
+ if fields[0] not in retrieved_port:
+ raise rbac_exceptions.RbacActionFailed
@rbac_rule_validation.action(service="neutron",
rule="get_port:binding:host_id")
@@ -203,20 +196,18 @@
# Verify specific fields of a port
fields = ['binding:host_id']
- post_body = {'network_id': self.admin_network['id'],
+ post_body = {'network_id': self.network['id'],
'binding:host_id': data_utils.rand_name('host-id')}
port = self._create_port(**post_body)
- try:
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.ports_client.show_port(port['id'],
- fields=fields)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ retrieved_port = self.ports_client.show_port(
+ port['id'], fields=fields)['port']
+
+ # Rather than throwing a 403, the field is not present, so raise exc.
+ if fields[0] not in retrieved_port:
+ raise rbac_exceptions.RbacActionFailed
@rbac_rule_validation.action(service="neutron",
rule="get_port:binding:profile")
@@ -226,37 +217,34 @@
# Verify specific fields of a port
fields = ['binding:profile']
binding_profile = {"foo": "1"}
- post_body = {'network_id': self.admin_network['id'],
+ post_body = {'network_id': self.network['id'],
'binding:profile': binding_profile}
port = self._create_port(**post_body)
- try:
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.ports_client.show_port(port['id'],
- fields=fields)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ retrieved_port = self.ports_client.show_port(
+ port['id'], fields=fields)['port']
+
+ # Rather than throwing a 403, the field is not present, so raise exc.
+ if fields[0] not in retrieved_port:
+ raise rbac_exceptions.RbacActionFailed
@rbac_rule_validation.action(service="neutron",
rule="update_port")
@decorators.idempotent_id('afa80981-3c59-42fd-9531-3bcb2cd03711')
def test_update_port(self):
- port = self.create_port(self.admin_network)
+ port = self.create_port(self.network)
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.ports_client.update_port(port['id'],
- admin_state_up=False)
+ self.ports_client.update_port(port['id'], admin_state_up=False)
@rbac_rule_validation.action(service="neutron",
rule="update_port:mac_address")
@decorators.idempotent_id('507140c8-7b14-4d63-b627-2103691d887e')
def test_update_port_mac_address(self):
- port = self.create_port(self.admin_network)
+ port = self.create_port(self.network)
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(
port['id'],
@@ -267,22 +255,27 @@
@decorators.idempotent_id('c091c825-532b-4c6f-a14f-affd3259c1c3')
def test_update_port_fixed_ips(self):
- # Pick an ip address within the allocation_pools range
- ip_address = random.choice(list(self.admin_ip_range))
- fixed_ips = [{'ip_address': ip_address}]
- post_body = {'network_id': self.admin_network['id']}
+ # Pick an ip address within the allocation_pools range.
+ post_body = {'network_id': self.network['id']}
port = self._create_port(**post_body)
+ # Pick an unused ip address to avoid IpAddressAlreadyAllocated
+ # exception.
+ current_ports = self.ports_client.list_ports()['ports']
+ in_use_ips = [p['fixed_ips'][0]['ip_address'] for p in current_ports]
+ unused_ip_range = list(set(self.ip_range) - set(in_use_ips))
+ ip_address = random.choice(unused_ip_range)
+
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(port['id'],
- fixed_ips=fixed_ips)
+ fixed_ips=[{'ip_address': ip_address}])
@rbac_rule_validation.action(service="neutron",
rule="update_port:port_security_enabled")
@decorators.idempotent_id('795541af-6652-4e35-9581-fd58224f7545')
def test_update_port_security_enabled(self):
- port = self.create_port(self.admin_network)
+ port = self.create_port(self.network)
self.rbac_utils.switch_role(self, switchToRbacRole=True)
self.ports_client.update_port(port['id'],
security_groups=[])
@@ -292,7 +285,7 @@
@decorators.idempotent_id('24206a72-0d90-4712-918c-5c9a1ebef64d')
def test_update_port_binding_host_id(self):
- post_body = {'network_id': self.admin_network['id'],
+ post_body = {'network_id': self.network['id'],
'binding:host_id': 'rbac_test_host'}
port = self._create_port(**post_body)
@@ -308,7 +301,7 @@
def test_update_port_binding_profile(self):
binding_profile = {"foo": "1"}
- post_body = {'network_id': self.admin_network['id'],
+ post_body = {'network_id': self.network['id'],
'binding:profile': binding_profile}
port = self._create_port(**post_body)
@@ -325,11 +318,11 @@
@decorators.idempotent_id('729c2151-bb49-4f4f-9d58-3ed8819b7582')
def test_update_port_allowed_address_pairs(self):
- ip_address = random.choice(list(self.admin_ip_range))
+ ip_address = random.choice(list(self.ip_range))
# Update allowed address pair attribute of port
address_pairs = [{'ip_address': ip_address,
'mac_address': data_utils.rand_mac_address()}]
- post_body = {'network_id': self.admin_network['id']}
+ post_body = {'network_id': self.network['id']}
port = self._create_port(**post_body)
self.rbac_utils.switch_role(self, switchToRbacRole=True)
@@ -337,17 +330,11 @@
allowed_address_pairs=address_pairs)
@rbac_rule_validation.action(service="neutron",
- rule="delete_port")
+ rule="delete_port",
+ expected_error_code=404)
@decorators.idempotent_id('1cf8e582-bc09-46cb-b32a-82bf991ad56f')
def test_delete_port(self):
- try:
- port = self._create_port(network_id=self.admin_network['id'])
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.ports_client.delete_port(port['id'])
-
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ port = self._create_port(network_id=self.network['id'])
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.delete_port(port['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index a227e5c..69aa32a 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -21,10 +21,8 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest.lib import exceptions
from tempest import test
-from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
@@ -96,6 +94,7 @@
create_router:external_gateway_info:external_fixed_ips policy
"""
name = data_utils.rand_name('snat-router')
+
# Pick an ip address within the allocation_pools range
ip_address = random.choice(list(self.admin_ip_range))
external_fixed_ips = {'subnet_id': self.admin_subnet['id'],
@@ -111,7 +110,9 @@
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
- @rbac_rule_validation.action(service="neutron", rule="get_router")
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_router",
+ expected_error_code=404)
@decorators.idempotent_id('bfbdbcff-f115-4d3e-8cd5-6ada33fd0e21')
def test_show_router(self):
"""Get Router
@@ -119,13 +120,7 @@
RBAC test for the neutron get_router policy
"""
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.routers_client.show_router(self.admin_router['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.routers_client.show_router(self.admin_router['id'])
@rbac_rule_validation.action(
service="neutron", rule="update_router")
@@ -167,6 +162,10 @@
self.routers_client.update_router(
self.admin_router['id'],
external_gateway_info={'network_id': self.admin_network['id']})
+ self.addCleanup(
+ self.routers_client.update_router,
+ self.admin_router['id'],
+ external_gateway_info=None)
@rbac_rule_validation.action(
service="neutron",
@@ -183,6 +182,10 @@
self.admin_router['id'],
external_gateway_info={'network_id': self.admin_network['id'],
'enable_snat': True})
+ self.addCleanup(
+ self.routers_client.update_router,
+ self.admin_router['id'],
+ external_gateway_info=None)
@rbac_rule_validation.action(
service="neutron",
@@ -211,7 +214,8 @@
external_gateway_info=None)
@rbac_rule_validation.action(service="neutron",
- rule="delete_router")
+ rule="delete_router",
+ expected_error_code=404)
@decorators.idempotent_id('c0634dd5-0467-48f7-a4ae-1014d8edb2a7')
def test_delete_router(self):
"""Delete Router
@@ -220,16 +224,11 @@
"""
router = self.create_router()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.routers_client.delete_router(router['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.routers_client.delete_router(router['id'])
@rbac_rule_validation.action(service="neutron",
- rule="add_router_interface")
+ rule="add_router_interface",
+ expected_error_code=404)
@decorators.idempotent_id('a0627778-d68d-4913-881b-e345360cca19')
def test_add_router_interfaces(self):
"""Add Router Interface
@@ -241,22 +240,17 @@
router = self.create_router()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.routers_client.add_router_interface(
- router['id'], subnet_id=subnet['id'])
- self.addCleanup(
- test_utils.call_and_ignore_notfound_exc,
- self.routers_client.remove_router_interface,
- router['id'],
- subnet_id=subnet['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.routers_client.add_router_interface(
+ router['id'], subnet_id=subnet['id'])
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.routers_client.remove_router_interface,
+ router['id'],
+ subnet_id=subnet['id'])
@rbac_rule_validation.action(service="neutron",
- rule="remove_router_interface")
+ rule="remove_router_interface",
+ expected_error_code=404)
@decorators.idempotent_id('ff2593a4-2bff-4c27-97d3-dd3702b27dfb')
def test_remove_router_interfaces(self):
"""Remove Router Interface
@@ -276,12 +270,6 @@
subnet_id=subnet['id'])
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.routers_client.remove_router_interface(
- router['id'],
- subnet_id=subnet['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.routers_client.remove_router_interface(
+ router['id'],
+ subnet_id=subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
index cf76836..289c669 100644
--- a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
@@ -18,9 +18,7 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest.lib import exceptions
-from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
@@ -80,53 +78,40 @@
self._create_security_group()
@rbac_rule_validation.action(service="neutron",
- rule="get_security_group")
+ rule="get_security_group",
+ expected_error_code=404)
@decorators.idempotent_id('56335e77-aef2-4b54-86c7-7f772034b585')
def test_show_security_groups(self):
- try:
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.security_groups_client.show_security_group(
- self.secgroup['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.security_groups_client.show_security_group(
+ self.secgroup['id'])
@rbac_rule_validation.action(service="neutron",
- rule="delete_security_group")
+ rule="delete_security_group",
+ expected_error_code=404)
@decorators.idempotent_id('0b1330fd-dd28-40f3-ad73-966052e4b3de')
def test_delete_security_group(self):
# Create a security group
secgroup_id = self._create_security_group()['id']
+
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.security_groups_client.delete_security_group(secgroup_id)
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.security_groups_client.delete_security_group(secgroup_id)
@rbac_rule_validation.action(service="neutron",
- rule="update_security_group")
+ rule="update_security_group",
+ expected_error_code=404)
@decorators.idempotent_id('56c5e4dc-f8aa-11e6-bc64-92361f002671')
def test_update_security_group(self):
# Create a security group
secgroup_id = self._create_security_group()['id']
+
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.security_groups_client.update_security_group(
- secgroup_id,
- description="test description")
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.security_groups_client.update_security_group(
+ secgroup_id,
+ description="test description")
@rbac_rule_validation.action(service="neutron",
rule="get_security_groups")
@@ -145,38 +130,26 @@
self._create_security_group_rule()
@rbac_rule_validation.action(service="neutron",
- rule="delete_security_group_rule")
+ rule="delete_security_group_rule",
+ expected_error_code=404)
@decorators.idempotent_id('2262539e-b7d9-438c-acf9-a5ce0613be28')
def test_delete_security_group_rule(self):
sec_group_rule = self._create_security_group_rule()
-
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.security_group_rules_client.delete_security_group_rule(
- sec_group_rule['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.security_group_rules_client.delete_security_group_rule(
+ sec_group_rule['id'])
@rbac_rule_validation.action(service="neutron",
- rule="get_security_group_rule")
+ rule="get_security_group_rule",
+ expected_error_code=404)
@decorators.idempotent_id('84b4038c-261e-4a94-90d5-c885739ab0d5')
def test_show_security_group_rule(self):
sec_group_rule = self._create_security_group_rule()
-
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.security_group_rules_client.show_security_group_rule(
- sec_group_rule['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.security_group_rules_client.show_security_group_rule(
+ sec_group_rule['id'])
@rbac_rule_validation.action(service="neutron",
rule="get_security_group_rules")
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
index 35ad335..3667212 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
@@ -18,10 +18,8 @@
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
-from tempest.lib import exceptions
from tempest import test
-from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
@@ -79,7 +77,8 @@
self._create_subnetpool(shared=True)
@rbac_rule_validation.action(service="neutron",
- rule="get_subnetpool")
+ rule="get_subnetpool",
+ expected_error_code=404)
@decorators.idempotent_id('4f5aee26-0507-4b6d-b44c-3128a25094d2')
def test_show_subnetpool(self):
"""Show subnetpool.
@@ -88,13 +87,7 @@
"""
subnetpool = self._create_subnetpool()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.subnetpools_client.show_subnetpool(subnetpool['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.subnetpools_client.show_subnetpool(subnetpool['id'])
@rbac_rule_validation.action(service="neutron",
rule="update_subnetpool")
@@ -110,7 +103,8 @@
min_prefixlen=24)
@rbac_rule_validation.action(service="neutron",
- rule="delete_subnetpool")
+ rule="delete_subnetpool",
+ expected_error_code=404)
@decorators.idempotent_id('50f5944e-43e5-457b-ab50-fb48a73f0d3e')
def test_delete_subnetpool(self):
"""Delete subnetpool.
@@ -119,10 +113,4 @@
"""
subnetpool = self._create_subnetpool()
self.rbac_utils.switch_role(self, switchToRbacRole=True)
- try:
- self.subnetpools_client.delete_subnetpool(subnetpool['id'])
- except exceptions.NotFound as e:
- LOG.info("NotFound exception caught. Exception is thrown when "
- "role doesn't have access to the endpoint."
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed(e)
+ self.subnetpools_client.delete_subnetpool(subnetpool['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index 996e2b7..29f6a80 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -79,15 +79,6 @@
# Detach the volume
self._detach_volume()
- @testtools.skipUnless(CONF.service_available.nova,
- "Nova is needed to create a server")
- @rbac_rule_validation.action(service="cinder", rule="volume:get")
- @decorators.idempotent_id('c4c3fdd5-b1b1-49c3-b977-a9f40ee9257a')
- def test_get_volume_attachment(self):
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- # Get attachment
- self.client.show_volume(self.volume['id'])
-
@testtools.skipIf(True, "Patrole bug #1672799")
@rbac_rule_validation.action(service="cinder",
rule="volume:copy_volume_to_image")
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_basic_crud.py b/patrole_tempest_plugin/tests/api/volume/test_volume_basic_crud.py
new file mode 100644
index 0000000..70f53fd
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_basic_crud.py
@@ -0,0 +1,78 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesV2BasicCrudRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:create")
+ @decorators.idempotent_id('426b08ef-6394-4d06-9128-965d5a6c38ef')
+ def test_create_volume(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.create_volume()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:delete")
+ @decorators.idempotent_id('6de9f9c2-509f-4558-867b-af21c7163be4')
+ def test_delete_volume(self):
+ volume = self.create_volume()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_client.delete_volume(volume['id'])
+
+ @rbac_rule_validation.action(service="cinder", rule="volume:get")
+ @decorators.idempotent_id('c4c3fdd5-b1b1-49c3-b977-a9f40ee9257a')
+ def test_get_volume(self):
+ volume = self.create_volume()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_client.show_volume(volume['id'])
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:get_all")
+ @decorators.idempotent_id('e3ab7906-b04b-4c45-aa11-1104d302f940')
+ def test_volume_list(self):
+ # Get a list of Volumes
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_client.list_volumes()
+
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:get_volumes_image_metadata")
+ @decorators.idempotent_id('3d48ca91-f02b-4616-a69d-4a8b296c8529')
+ def test_volume_list_image_metadata(self):
+ # Get a list of Volumes
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_client.list_volumes(detail=True)
+
+ @rbac_rule_validation.action(service="cinder", rule="volume:update")
+ @decorators.idempotent_id('b751b889-9a9b-40d8-ae7d-4b0f65e71ac7')
+ def test_update_volume(self):
+ volume = self.create_volume()
+ new_name = data_utils.rand_name('volume')
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_client.update_volume(volume['id'],
+ name=new_name)
+
+
+class VolumesV3BasicCrudRbacTest(VolumesV2BasicCrudRbacTest):
+ _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
deleted file mode 100644
index d028180..0000000
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
+++ /dev/null
@@ -1,62 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from oslo_log import log as logging
-
-from tempest import config
-from tempest.lib import decorators
-from tempest.lib import exceptions
-
-from patrole_tempest_plugin import rbac_exceptions
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.volume import rbac_base
-
-CONF = config.CONF
-LOG = logging.getLogger(__name__)
-
-
-class CreateDeleteVolumeRbacTest(rbac_base.BaseVolumeRbacTest):
-
- def _create_volume(self):
- # create_volume waits for volume status to be
- # "available" before returning and automatically
- # cleans up at the end of testing
- volume = self.create_volume()
- return volume
-
- @rbac_rule_validation.action(service="cinder",
- rule="volume:create")
- @decorators.idempotent_id('426b08ef-6394-4d06-9128-965d5a6c38ef')
- def test_create_volume(self):
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- # Create a volume
- self._create_volume()
-
- @rbac_rule_validation.action(service="cinder",
- rule="volume:delete")
- @decorators.idempotent_id('6de9f9c2-509f-4558-867b-af21c7163be4')
- def test_delete_volume(self):
- try:
- # Create a volume
- volume = self._create_volume()
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- # Delete a volume
- self.volumes_client.delete_volume(volume['id'])
- except exceptions.NotFound as e:
- raise rbac_exceptions.RbacActionFailed(e)
-
-
-class CreateDeleteVolumeV3RbacTest(CreateDeleteVolumeRbacTest):
- _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py
deleted file mode 100644
index 8c0a9e0..0000000
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py
+++ /dev/null
@@ -1,51 +0,0 @@
-# Copyright 2017 AT&T Corp
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest import config
-from tempest.lib import decorators
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.volume import rbac_base
-
-CONF = config.CONF
-
-
-class VolumesListRbacTest(rbac_base.BaseVolumeRbacTest):
-
- @classmethod
- def setup_clients(cls):
- super(VolumesListRbacTest, cls).setup_clients()
- cls.client = cls.os.volumes_client
-
- @rbac_rule_validation.action(service="cinder",
- rule="volume:get_all")
- @decorators.idempotent_id('e3ab7906-b04b-4c45-aa11-1104d302f940')
- def test_volume_list(self):
- # Get a list of Volumes
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.client.list_volumes()
-
- @rbac_rule_validation.action(
- service="cinder",
- rule="volume_extension:get_volumes_image_metadata")
- @decorators.idempotent_id('3d48ca91-f02b-4616-a69d-4a8b296c8529')
- def test_volume_list_image_metadata(self):
- # Get a list of Volumes
- self.rbac_utils.switch_role(self, switchToRbacRole=True)
- self.client.list_volumes(detail=True)
-
-
-class VolumeListV3RbacTest(VolumesListRbacTest):
- _api_version = 3
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
index eeb06cc..705c7e7 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
@@ -19,10 +19,13 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation as rbac_rv
+from tempest import config
from tempest.lib import exceptions
from tempest import test
from tempest.tests import base
+CONF = config.CONF
+
class RBACRuleValidationTest(base.TestCase):
@@ -36,6 +39,10 @@
self.mock_args.auth_provider.credentials.user_id = \
mock.sentinel.user_id
+ CONF.set_override('rbac_test_role', 'Member', group='rbac',
+ enforce_type=True)
+ self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac')
+
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
def test_RBAC_rv_happy_path(self, mock_auth):
decorator = rbac_rv.action("", "")
@@ -44,27 +51,58 @@
wrapper((self.mock_args))
self.assertTrue(mock_function.called)
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
- def test_RBAC_rv_forbidden(self, mock_auth):
- decorator = rbac_rv.action("", "")
+ def test_RBAC_rv_forbidden(self, mock_auth, mock_log):
+ decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
mock_function = mock.Mock()
mock_function.side_effect = exceptions.Forbidden
wrapper = decorator(mock_function)
- self.assertRaises(exceptions.Forbidden, wrapper, self.mock_args)
+ e = self.assertRaises(exceptions.Forbidden, wrapper, self.mock_args)
+ self.assertIn(
+ "Role Member was not allowed to perform sentinel.action.",
+ e.__str__())
+ mock_log.error.assert_called_once_with("Role Member was not allowed to"
+ " perform sentinel.action.")
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
- def test_RBAC_rv_rbac_action_failed(self, mock_auth):
- decorator = rbac_rv.action("", "")
+ def test_expect_not_found_but_raises_forbidden(self, mock_auth, mock_log):
+ decorator = rbac_rv.action(mock.sentinel.service,
+ mock.sentinel.action,
+ expected_error_code=404)
+ mock_function = mock.Mock()
+ mock_function.side_effect = exceptions.NotFound
+ wrapper = decorator(mock_function)
+
+ e = self.assertRaises(exceptions.Forbidden, wrapper, self.mock_args)
+ self.assertIn(
+ "Role Member was not allowed to perform sentinel.action.",
+ e.__str__())
+ mock_log.error.assert_called_once_with("Role Member was not allowed to"
+ " perform sentinel.action.")
+
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
+ @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
+ def test_RBAC_rv_rbac_action_failed(self, mock_auth, mock_log):
+ decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
mock_function = mock.Mock()
mock_function.side_effect = rbac_exceptions.RbacActionFailed
-
wrapper = decorator(mock_function)
- self.assertRaises(exceptions.Forbidden, wrapper, self.mock_args)
+ e = self.assertRaises(exceptions.Forbidden, wrapper, self.mock_args)
+ self.assertIn(
+ "Role Member was not allowed to perform sentinel.action.",
+ e.__str__())
+
+ mock_log.error.assert_called_once_with("Role Member was not allowed to"
+ " perform sentinel.action.")
+
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
- def test_RBAC_rv_not_allowed(self, mock_auth):
- decorator = rbac_rv.action("", "")
+ def test_RBAC_rv_not_allowed(self, mock_auth, mock_log):
+ decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
mock_function = mock.Mock()
wrapper = decorator(mock_function)
@@ -73,8 +111,13 @@
mock_permission.get_permission.return_value = False
mock_auth.return_value = mock_permission
- self.assertRaises(rbac_exceptions.RbacOverPermission, wrapper,
- self.mock_args)
+ e = self.assertRaises(rbac_exceptions.RbacOverPermission, wrapper,
+ self.mock_args)
+ self.assertIn(("OverPermission: Role Member was allowed to perform "
+ "sentinel.action"), e.__str__())
+
+ mock_log.error.assert_called_once_with(
+ "Role Member was allowed to perform sentinel.action")
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
def test_RBAC_rv_forbidden_not_allowed(self, mock_auth):
@@ -90,6 +133,29 @@
self.assertIsNone(wrapper(self.mock_args))
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
+ @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
+ def test_expect_not_found_and_not_allowed(self, mock_auth, mock_log):
+ decorator = rbac_rv.action(mock.sentinel.service,
+ mock.sentinel.action,
+ expected_error_code=404)
+
+ mock_function = mock.Mock()
+ mock_function.side_effect = exceptions.NotFound
+ wrapper = decorator(mock_function)
+
+ mock_permission = mock.Mock()
+ mock_permission.get_permission.return_value = False
+ mock_auth.return_value = mock_permission
+
+ self.assertIsNone(wrapper(self.mock_args))
+
+ mock_log.warning.assert_called_once_with(
+ 'NotFound exception was caught for policy action sentinel.action. '
+ 'The service sentinel.service throws a 404 instead of a 403, '
+ 'which is irregular.')
+ mock_log.error.assert_not_called()
+
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
def test_RBAC_rv_rbac_action_failed_not_allowed(self, mock_auth):
decorator = rbac_rv.action("", "")
@@ -122,3 +188,73 @@
mock_rbac_policy_parser.RbacPolicyParser.assert_called_once_with(
mock.sentinel.tenant_id, mock.sentinel.user_id,
mock.sentinel.service)
+
+ @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
+ def test_get_exception_type_404(self, mock_auth):
+ expected_exception = exceptions.NotFound
+ expected_irregular_msg = ("NotFound exception was caught for policy "
+ "action {0}. The service {1} throws a 404 "
+ "instead of a 403, which is irregular.")
+
+ actual_exception, actual_irregular_msg = \
+ rbac_rv._get_exception_type(404)
+
+ self.assertEqual(expected_exception, actual_exception)
+ self.assertEqual(expected_irregular_msg, actual_irregular_msg)
+
+ @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
+ def test_get_exception_type_403(self, mock_auth):
+ expected_exception = exceptions.Forbidden
+ expected_irregular_msg = None
+
+ actual_exception, actual_irregular_msg = \
+ rbac_rv._get_exception_type(403)
+
+ self.assertEqual(expected_exception, actual_exception)
+ self.assertEqual(expected_irregular_msg, actual_irregular_msg)
+
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
+ @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
+ def test_exception_thrown_when_type_is_not_int(self, mock_auth, mock_log):
+ self.assertRaises(rbac_exceptions.RbacInvalidErrorCode,
+ rbac_rv._get_exception_type, "403")
+
+ mock_log.error.assert_called_once_with("Please pass an expected error "
+ "code. Currently supported "
+ "codes: [403, 404]")
+
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
+ def test_rbac_decorator_with_admin_only_and_have_permission(self,
+ mock_log):
+ CONF.set_override('rbac_test_role', 'admin', group='rbac',
+ enforce_type=True)
+ self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac')
+
+ decorator = rbac_rv.action(mock.sentinel.service,
+ mock.sentinel.policy_rule,
+ admin_only=True)
+ wrapper = decorator(mock.Mock(side_effect=None))
+ wrapper(self.mock_args)
+
+ mock_log.info.assert_called_once_with(
+ "As admin_only is True, only admin role should be allowed to "
+ "perform the API. Skipping oslo.policy check for policy action "
+ "{0}.".format(mock.sentinel.policy_rule))
+
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
+ def test_rbac_decorator_with_admin_only_and_lack_permission(self,
+ mock_log):
+ CONF.set_override('rbac_test_role', 'Member', group='rbac',
+ enforce_type=True)
+ self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac')
+
+ decorator = rbac_rv.action(mock.sentinel.service,
+ mock.sentinel.policy_rule,
+ admin_only=True)
+ wrapper = decorator(mock.Mock(side_effect=exceptions.Forbidden))
+ wrapper(self.mock_args)
+
+ mock_log.info.assert_called_once_with(
+ "As admin_only is True, only admin role should be allowed to "
+ "perform the API. Skipping oslo.policy check for policy action "
+ "{0}.".format(mock.sentinel.policy_rule))
diff --git a/requirements.txt b/requirements.txt
index b22bec8..2506f82 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,3 +5,5 @@
pbr>=1.8 # Apache-2.0
urllib3>=1.15.1 # MIT
oslo.log>=3.11.0 # Apache-2.0
+oslo.config>=3.22.0 # Apache-2.0
+tempest>=14.0.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index b4953e7..85314b6 100644
--- a/tox.ini
+++ b/tox.ini
@@ -13,13 +13,13 @@
whitelist_externals = find
deps = -r{toxinidir}/requirements.txt
-r{toxinidir}/test-requirements.txt
-commands =
+commands =
find . -type f -name "*.pyc" -delete
ostestr {posargs} --whitelist-file test-whitelist.txt
[testenv:pep8]
commands = flake8 {posargs}
- check-uuid
+ check-uuid
[testenv:uuidgen]
commands = check-uuid --fix
@@ -46,7 +46,7 @@
sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
[testenv:debug]
-commands = oslo_debug_helper {posargs}
+commands = oslo_debug_helper -t patrole_tempest_plugin/tests {posargs}
[flake8]
# E123, E125 skipped as they are invalid PEP-8.