Add RBAC tests for identity v3 project tags
This PS adds RBAC tests for the identity v3 project tags
API [0], whose policies can be found here: [1]. The
corresponding Tempest client is implemented in [2].
[0] https://developer.openstack.org/api-ref/identity/v3/index.html#project-tags
[1] https://github.com/openstack/keystone/blob/19f9937e98473e4fab9f4ee5c86b23a2eaacfe0f/keystone/common/policies/project.py#L98-161
[2] Iec6b34c10ea1bd7103720c773b48ce130643115d
Depends-On: Iad6b3a88639bb4a0dc3aea5af2ba0162dfa19f96
Change-Id: I6024fbe89d3d8f673be223bd5a07b1068be12034
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index 5124f52..90fa6aa 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -127,16 +127,17 @@
cls.endpoint_groups_client = cls.os_primary.endpoint_groups_client
cls.groups_client = cls.os_primary.groups_client
cls.identity_client = cls.os_primary.identity_v3_client
+ cls.oauth_token_client = cls.os_primary.oauth_token_client
cls.projects_client = cls.os_primary.projects_client
+ cls.project_tags_client = cls.os_primary.project_tags_client
cls.policies_client = cls.os_primary.policies_client
cls.regions_client = cls.os_primary.regions_client
cls.role_assignments_client = cls.os_primary.role_assignments_client
cls.roles_client = cls.os_primary.roles_v3_client
cls.services_client = cls.os_primary.identity_services_v3_client
+ cls.token_client = cls.os_primary.token_v3_client
cls.trusts_client = cls.os_primary.trusts_client
cls.users_client = cls.os_primary.users_v3_client
- cls.oauth_token_client = cls.os_primary.oauth_token_client
- cls.token_client = cls.os_primary.token_v3_client
@classmethod
def resource_setup(cls):
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_project_tags_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_project_tags_rbac.py
new file mode 100644
index 0000000..d3d84b6
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_project_tags_rbac.py
@@ -0,0 +1,87 @@
+# Copyright 2018 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+
+class ProjectTagsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+ @classmethod
+ def resource_setup(cls):
+ super(ProjectTagsV3RbacTest, cls).resource_setup()
+ cls.project_id = cls.setup_test_project()['id']
+
+ def tearDown(self):
+ self.project_tags_client.delete_all_project_tags(self.project_id)
+ super(ProjectTagsV3RbacTest, self).tearDown()
+
+ @decorators.idempotent_id('acbd7b2d-0a4d-4990-9fab-eccad69d4238')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_project_tag")
+ def test_update_project_tag(self):
+ tag = data_utils.rand_name(self.__class__.__name__ + '-Tag')
+ with self.rbac_utils.override_role(self):
+ self.project_tags_client.update_project_tag(self.project_id, tag)
+
+ @decorators.idempotent_id('e122d7d1-bb6d-43af-b489-afa8c609b9ae')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_project_tags")
+ def test_list_project_tags(self):
+ with self.rbac_utils.override_role(self):
+ self.project_tags_client.list_project_tags(self.project_id)
+
+ @decorators.idempotent_id('716f9081-4626-4594-a82c-e7dc037464ac')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:update_project_tags")
+ def test_update_all_project_tags(self):
+ tags = [
+ data_utils.rand_name(self.__class__.__name__ + '-Tag')
+ for _ in range(2)
+ ]
+ with self.rbac_utils.override_role(self):
+ self.project_tags_client.update_all_project_tags(
+ self.project_id, tags)
+
+ @decorators.idempotent_id('974cb1da-d7d4-4863-99da-4a3f0c801729')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_project_tag")
+ def test_check_project_tag_existence(self):
+ tag = data_utils.rand_name(self.__class__.__name__ + '-Tag')
+ self.project_tags_client.update_project_tag(self.project_id, tag)
+
+ with self.rbac_utils.override_role(self):
+ self.project_tags_client.check_project_tag_existence(
+ self.project_id, tag)
+
+ @decorators.idempotent_id('ffe0c8e1-f9eb-43c5-8097-1e938fc08e07')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_project_tag")
+ def test_delete_project_tag(self):
+ tag = data_utils.rand_name(self.__class__.__name__ + '-Tag')
+ self.project_tags_client.update_project_tag(self.project_id, tag)
+
+ with self.rbac_utils.override_role(self):
+ self.project_tags_client.delete_project_tag(self.project_id, tag)
+
+ @decorators.idempotent_id('94d0ef63-e9e3-4287-9c5e-bd5464467d77')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_project_tags")
+ def test_delete_all_project_tags(self):
+ with self.rbac_utils.override_role(self):
+ self.project_tags_client.delete_all_project_tags(self.project_id)