Merge "Add tests to cover segments"
diff --git a/.zuul.yaml b/.zuul.yaml
index 21b5679..5701eb4 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -1,7 +1,9 @@
- job:
name: patrole-base
parent: devstack-tempest
- description: Patrole base job for admin and member roles.
+ description: |
+ Patrole base job for admin and member roles. This job executes RBAC tests
+ for all the "core" services that Tempest covers, excluding Swift.
required-projects:
- name: openstack/tempest
- name: openstack/patrole
@@ -17,7 +19,7 @@
- ^setup.cfg$
vars:
devstack_localrc:
- TEMPEST_PLUGINS: "'{{ ansible_user_dir }}/src/git.openstack.org/openstack/patrole'"
+ TEMPEST_PLUGINS: "'/opt/stack/patrole'"
devstack_plugins:
patrole: git://git.openstack.org/openstack/patrole.git
devstack_services:
@@ -127,6 +129,47 @@
# Without Swift, c-bak cannot run (in the gate at least).
c-bak: false
+- job:
+ name: patrole-plugin-base
+ parent: patrole-base
+ description: |
+ Patrole plugin job for admin and member roles which
+ runs RBAC tests for neutron-tempest-plugin APIs (if the plugin is installed).
+ required-projects:
+ - name: openstack/tempest
+ - name: openstack/patrole
+ - name: openstack/neutron-tempest-plugin
+ vars:
+ devstack_localrc:
+ TEMPEST_PLUGINS: "'/opt/stack/patrole
+ /opt/stack/neutron-tempest-plugin'"
+ devstack_plugins:
+ neutron: git://git.openstack.org/openstack/neutron.git
+ patrole: git://git.openstack.org/openstack/patrole.git
+ neutron-tempest-plugin: git://git.openstack.org/openstack/neutron-tempest-plugin.git
+ devstack_services:
+ tempest: true
+ neutron: true
+ neutron-segments: true
+
+- job:
+ name: patrole-plugin-member
+ parent: patrole-plugin-base
+ voting: false
+ vars:
+ devstack_localrc:
+ RBAC_TEST_ROLE: member
+ tempest_test_regex: (?=.*PluginRbacTest)(^patrole_tempest_plugin\.tests\.api)
+
+- job:
+ name: patrole-plugin-admin
+ parent: patrole-plugin-base
+ voting: false
+ vars:
+ devstack_localrc:
+ RBAC_TEST_ROLE: admin
+ tempest_test_regex: (?=.*PluginRbacTest)(^patrole_tempest_plugin\.tests\.api)
+
- project:
check:
jobs:
@@ -138,6 +181,8 @@
- patrole-multinode-admin
- patrole-multinode-member
- openstack-tox-lower-constraints
+ - patrole-plugin-admin
+ - patrole-plugin-member
gate:
jobs:
- patrole-admin
diff --git a/patrole_tempest_plugin/tests/api/network/rbac_base.py b/patrole_tempest_plugin/tests/api/network/rbac_base.py
index 3065c13..6c57a0c 100644
--- a/patrole_tempest_plugin/tests/api/network/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/network/rbac_base.py
@@ -33,3 +33,41 @@
def setup_clients(cls):
super(BaseNetworkRbacTest, cls).setup_clients()
cls.setup_rbac_utils()
+
+
+class BaseNetworkPluginRbacTest(BaseNetworkRbacTest):
+ """Base class to be used with tests that require neutron-tempest-plugin.
+ """
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseNetworkPluginRbacTest, cls).skip_checks()
+
+ if not cls.is_neutron_tempest_plugin_avaliable():
+ msg = ("neutron-tempest-plugin not installed.")
+ raise cls.skipException(msg)
+
+ @classmethod
+ def is_neutron_tempest_plugin_avaliable(cls):
+ try:
+ import neutron_tempest_plugin # noqa
+ return True
+ except ImportError:
+ return False
+
+ @classmethod
+ def get_client_manager(cls, credential_type=None, roles=None,
+ force_new=None):
+ manager = super(BaseNetworkPluginRbacTest, cls).get_client_manager(
+ credential_type=credential_type,
+ roles=roles,
+ force_new=force_new
+ )
+
+ # Import neutron-tempest-plugin clients
+ if cls.is_neutron_tempest_plugin_avaliable():
+ from neutron_tempest_plugin.api import clients
+ neutron_tempest_manager = clients.Manager(manager.credentials)
+ cls.ntp_client = neutron_tempest_manager.network_client
+
+ return manager
diff --git a/patrole_tempest_plugin/tests/api/network/test_segments_rbac.py b/patrole_tempest_plugin/tests/api/network/test_segments_rbac.py
new file mode 100644
index 0000000..2db674b
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_segments_rbac.py
@@ -0,0 +1,119 @@
+# Copyright 2018 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import random
+
+from tempest.common import utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+
+class SegmentsPluginRbacTest(base.BaseNetworkPluginRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(SegmentsPluginRbacTest, cls).skip_checks()
+ if not utils.is_extension_enabled('segment', 'network'):
+ msg = "segment extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(SegmentsPluginRbacTest, cls).resource_setup()
+ cls.network = cls.create_network()
+
+ @classmethod
+ def get_free_segmentation_id(cls):
+ # Select unused segmentation_id to prevent usage conflict
+ segments = cls.ntp_client.list_segments()["segments"]
+ segmentation_ids = [s["segmentation_id"] for s in segments]
+
+ # With 2+ concurrency, tests that ran in the same moment may fail due
+ # to usage conflict. To prevent it we select segmentation to start
+ # randomly.
+ segmentation_id = random.randint(1000, 5000)
+ while segmentation_id in segmentation_ids:
+ segmentation_id += 1
+
+ return segmentation_id
+
+ @classmethod
+ def create_segment(cls, network):
+ segmentation_id = cls.get_free_segmentation_id()
+
+ seg = cls.ntp_client.create_segment(
+ network_id=network['id'], network_type="gre",
+ segmentation_id=segmentation_id)
+ cls.addClassResourceCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ cls.ntp_client.delete_segment, seg['segment']['id'])
+
+ return seg
+
+ @decorators.idempotent_id('c02618e7-bb20-1a3a-83c8-6eec2af08126')
+ @rbac_rule_validation.action(service="neutron",
+ rules=["create_segment"])
+ def test_create_segment(self):
+ """Create segment.
+
+ RBAC test for the neutron "create_segment" policy
+ """
+ with self.rbac_utils.override_role(self):
+ self.create_segment(self.network)
+
+ @decorators.idempotent_id('c02618e7-bb20-1a3a-83c8-6eec2af08127')
+ @rbac_rule_validation.action(service="neutron",
+ rules=["get_segment"])
+ def test_show_segment(self):
+ """Show segment.
+
+ RBAC test for the neutron "get_segment" policy
+ """
+ segment = self.create_segment(self.network)
+
+ with self.rbac_utils.override_role(self):
+ self.ntp_client.show_segment(segment['segment']['id'])
+
+ @decorators.idempotent_id('c02618e7-bb20-1a3a-83c8-6eec2af08128')
+ @rbac_rule_validation.action(service="neutron",
+ rules=["get_segment",
+ "update_segment"])
+ def test_update_segment(self):
+ """Update segment.
+
+ RBAC test for the neutron "update_segment" policy
+ """
+ segment = self.create_segment(self.network)
+
+ with self.rbac_utils.override_role(self):
+ self.ntp_client.update_segment(segment['segment']['id'],
+ name="NewName")
+
+ @decorators.idempotent_id('c02618e7-bb20-1a3a-83c8-6eec2af08129')
+ @rbac_rule_validation.action(service="neutron",
+ rules=["get_segment",
+ "delete_segment"])
+ def test_delete_segment(self):
+ """Delete segment.
+
+ RBAC test for the neutron "delete_segment" policy
+ """
+ segment = self.create_segment(self.network)
+
+ with self.rbac_utils.override_role(self):
+ self.ntp_client.delete_segment(segment['segment']['id'])
diff --git a/releasenotes/notes/add-neutron-tempest-plugin-clients-c031e232021b390c.yaml b/releasenotes/notes/add-neutron-tempest-plugin-clients-c031e232021b390c.yaml
new file mode 100644
index 0000000..91d3f20
--- /dev/null
+++ b/releasenotes/notes/add-neutron-tempest-plugin-clients-c031e232021b390c.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - |
+ In order to strive toward complete test coverage for the services it
+ tests, Patrole now offers RBAC coverage for the APIs included in
+ neutron-tempest-plugin. If this plugin is not installed or enabled, then
+ Patrole will skip those tests.