commit d5d76b8ebbd36e291d5037e7fb85ccc630148958
author Felipe Monteiro <felipe.monteiro@att.com> Mon Mar 20 23:18:50 2017 +0000
committer Felipe Monteiro <felipe.monteiro@att.com> Wed Mar 22 14:23:49 2017 +0000
tree b832f9d68298f47b96c0025162f0db19c151354b
parent 6ef58806fbc34a8b7f12245bc0ea1825c490f55b

Fix failing v2 identity user tests by adding admin_only kwarg.

Currently, a number of identity v2 Patrole tests wrongly assume that policy
enforcement is executed by Keystone: for example [0]. These tests are
written just like any other Patrole tests but cannot be.

This is because Keystone does not actually perform a policy lookup for
many v2 endpoints: for example [1]. In the listed example, policy enforcement
is not done at all; instead, Keystone executes "self.assert_admin(request)"
which checks whether the request context has admin credentials. If not, a
403 is thrown, which is why many identity v2 Patrole tests are failing.

Policy enforcement is only executed when @controllers.protected() is
present above the API [2]; otherwise it is not. Since it is unlikely
that Keystone will change policy enforcement in its deprecated v2 API,
Patrole should instead compensate for this limitation with new
functionality.

Thus, Patrole's rbac_rule_validation.action decorator was
enhanced to take a new kwarg called "admin_only" whose default value
is False. When set to True, the local variable allowed in
rbac_rule_validation.action will check whether the current
rbac_test_role is admin: if it is, then the Patrole framework will
expect the test to pass; otherwise it will expect the test to fail.

[0] https://github.com/openstack/patrole/blob/master/patrole_tempest_plugin/tests/api/identity/v2/test_users_rbac.py
[1] https://github.com/openstack/keystone/blob/a3aee6ccb52d85eac1deedec31724a955d47fa96/keystone/identity/controllers.py
[2] https://github.com/openstack/keystone/blob/master/keystone/common/controller.py

Change-Id: Ie4025f45dc0b9434b0f5216bad8e441cdbe3b6f4
Closes-Bug: #1674495
Partial-Bug: #1670553