Multi role RBAC validation
This patchset replaces ``CONF.patrole.rbac_test_role`` with
``CONF.patrole.rbac_test_roles``, where instead of single role
we can specify list of roles to be assigned to test user.
Change-Id: Ia68bcbdbb523dfe7c4abd6107fb4c426a566ae9d
diff --git a/patrole_tempest_plugin/requirements_authority.py b/patrole_tempest_plugin/requirements_authority.py
index 75df9f4..57caf79 100644
--- a/patrole_tempest_plugin/requirements_authority.py
+++ b/patrole_tempest_plugin/requirements_authority.py
@@ -95,13 +95,14 @@
else:
self.roles_dict = None
- def allowed(self, rule_name, role):
+ def allowed(self, rule_name, roles):
"""Checks if a given rule in a policy is allowed with given role.
:param string rule_name: Rule to be checked using provided requirements
file specified by ``[patrole].custom_requirements_file``. Must be
a key present in this file, under the appropriate component.
- :param string role: Role to validate against custom requirements file.
+ :param List[string] roles: Roles to validate against custom
+ requirements file.
:returns: True if ``role`` is allowed to perform ``rule_name``, else
False.
:rtype: bool
@@ -115,8 +116,7 @@
"formatted.")
try:
_api = self.roles_dict[rule_name]
- return role in _api
+ return all(role in _api for role in roles)
except KeyError:
raise KeyError("'%s' API is not defined in the requirements YAML "
"file" % rule_name)
- return False