Merge "Add missing v3 token related testcases"
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index 1ed081e..e8c402e 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -243,6 +243,7 @@
cls.trusts_client = cls.os_primary.trusts_client
cls.users_client = cls.os_primary.users_v3_client
cls.oauth_token_client = cls.os_primary.oauth_token_client
+ cls.token_client = cls.os_primary.token_v3_client
@classmethod
def resource_setup(cls):
@@ -254,6 +255,7 @@
cls.projects = []
cls.regions = []
cls.trusts = []
+ cls.tokens = []
@classmethod
def resource_cleanup(cls):
@@ -289,6 +291,10 @@
test_utils.call_and_ignore_notfound_exc(
cls.trusts_client.delete_trust, trust['id'])
+ for token in cls.tokens:
+ test_utils.call_and_ignore_notfound_exc(
+ cls.identity_client.delete_token, token)
+
super(BaseIdentityV3RbacTest, cls).resource_cleanup()
@classmethod
@@ -375,3 +381,12 @@
cls.trusts.append(trust)
return trust
+
+ @classmethod
+ def setup_test_token(cls, user_id, password):
+ """Set up a test token."""
+ token = cls.token_client.auth(user_id=user_id,
+ password=password).response
+ token_id = token['x-subject-token']
+ cls.tokens.append(token_id)
+ return token_id
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
new file mode 100644
index 0000000..1ab296a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
@@ -0,0 +1,100 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+from tempest.lib import exceptions as lib_exc
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+CONF = config.CONF
+
+
+class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+ credentials = ['primary', 'admin', 'alt']
+
+ @classmethod
+ def skip_checks(cls):
+ super(IdentityTokenV3RbacTest, cls).skip_checks()
+ # In case of admin, the positive testcase would be used, hence
+ # skipping negative testcase
+ if CONF.rbac.rbac_test_role == CONF.identity.admin_role:
+ raise cls.skipException(
+ "Skipped as admin role doesn't require negative testing")
+
+ def _setup_alt_token(self):
+ return self.setup_test_token(
+ self.os_alt.auth_provider.credentials.user_id,
+ self.os_alt.auth_provider.credentials.password)
+
+ @decorators.idempotent_id('c83c8f1a-79cb-4dc4-b55f-c7d2bfd98b1e')
+ @test.attr(type=['negative'])
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:validate_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_alt.auth_provider.credentials.user_id"
+ })
+ def test_show_token_negative(self):
+ # Explicit negative test for identity:validate_token policy action.
+ # Assert expected exception is Forbidden and then reraise it.
+ alt_token_id = self._setup_alt_token()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ e = self.assertRaises(lib_exc.Forbidden,
+ self.identity_client.show_token,
+ alt_token_id)
+ raise e
+
+ @decorators.idempotent_id('2786a55d-a818-433a-af7a-41ebf72ab4da')
+ @test.attr(type=['negative'])
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:revoke_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_alt.auth_provider.credentials.user_id"
+ })
+ def test_delete_token_negative(self):
+ # Explicit negative test for identity:revoke_token policy action.
+ # Assert expected exception is Forbidden and then reraise it.
+ alt_token_id = self._setup_alt_token()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ e = self.assertRaises(lib_exc.Forbidden,
+ self.identity_client.delete_token,
+ alt_token_id)
+ raise e
+
+ @decorators.idempotent_id('1ea02ac0-9a96-44bd-bdc3-4dae3c10cc2e')
+ @test.attr(type=['negative'])
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:check_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_alt.auth_provider.credentials.user_id"
+ })
+ def test_check_token_existence_negative(self):
+ # Explicit negative test for identity:check_token policy action.
+ # Assert expected exception is Forbidden and then reraise it.
+ alt_token_id = self._setup_alt_token()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ e = self.assertRaises(lib_exc.Forbidden,
+ self.identity_client.check_token_existence,
+ alt_token_id)
+ raise e
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py
new file mode 100644
index 0000000..e6d0dd1
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_rbac.py
@@ -0,0 +1,67 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+
+class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+ @classmethod
+ def resource_setup(cls):
+ super(IdentityTokenV3RbacTest, cls).resource_setup()
+ cls.user_id = cls.os_primary.auth_provider.credentials.user_id
+ cls.password = cls.os_primary.auth_provider.credentials.password
+
+ @decorators.idempotent_id('201e2fe5-2023-4bce-9189-78b51520a91e')
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:validate_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_primary.auth_provider.credentials.user_id"
+ })
+ def test_show_token(self):
+ token_id = self.setup_test_token(self.user_id, self.password)
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.identity_client.show_token(token_id)
+
+ @decorators.idempotent_id('42a299db-fe0a-4ea0-9824-0bfd13155886')
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:revoke_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_primary.auth_provider.credentials.user_id"
+ })
+ def test_delete_token(self):
+ token_id = self.setup_test_token(self.user_id, self.password)
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.identity_client.delete_token(token_id)
+
+ @decorators.idempotent_id('3554d218-8cd6-4730-a1b2-0e22f9b78f45')
+ @rbac_rule_validation.action(
+ service="keystone",
+ rule="identity:check_token",
+ extra_target_data={
+ "target.token.user_id":
+ "os_primary.auth_provider.credentials.user_id"
+ })
+ def test_check_token_exsitence(self):
+ token_id = self.setup_test_token(self.user_id, self.password)
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.identity_client.check_token_existence(token_id)
diff --git a/releasenotes/notes/test_tokens_rbac-63a93e507d079a03.yaml b/releasenotes/notes/test_tokens_rbac-63a93e507d079a03.yaml
new file mode 100644
index 0000000..da285eb
--- /dev/null
+++ b/releasenotes/notes/test_tokens_rbac-63a93e507d079a03.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Added RBAC test scenarios for the token-related v3 identity API