Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / f16b6b3a1df654cfc98256ab1dd92ad4e719c369^! / . / patrole_tempest_plugin / rbac_exceptions.py
commitf16b6b3a1df654cfc98256ab1dd92ad4e719c369[log] [tgz]
authorFelipe Monteiro <felipe.monteiro@att.com>Thu Jun 28 19:32:59 2018 -0400
committerFelipe Monteiro <felipe.monteiro@att.com>Fri Jun 29 04:51:33 2018 +0000
treed757fcb089c63b21c7fffd8db1f8fc94c6f6e942
parent556094d276d79b7f320e5557aee93d7f029a1363 [diff] [blame]
Update overpermission/underpermission rbac exceptions

This patchset updates rbac_exceptions by bringing the concept
of under-permission and over-permission together. An over-permission
occurs when an unauthorized role is allowed to perform an action
and an under-permission occurs when an authorized role is not
allowed to perform an action. Both of these are important failure
scenarios.

Current Patrole has an RbacOverPermission Exception but uses
a "Forbidden" as a pseudonym for the under-permission version
but this is not ideal for the following reasons:

* Patrole can expect a 404 Not Found due to Neutron policy enforcement [0]
* The naming is inconsistent with RbacOverPermission
* It should have a Patrole wrapper exception (NotFound is used directly
  from Tempest)

So, this patchset:

* renames RbacOverPermission to RbacOverPermissionException
* replaces Forbidden exception with RbacUnderPermissionException
* updates documentation, docstrings and unit tests

In addition, this patchset introduces a new exception called
RbacExpectedWrongException which is raised when the expected
exception does not match the actual exception and both are instances
of 403 and 404, which means that the RBAC test uses the wrong
expected_error_codes.

Change-Id: I681610448cbe0269f02c34ea6afaaaf29c306121

diff --git a/patrole_tempest_plugin/rbac_exceptions.py b/patrole_tempest_plugin/rbac_exceptions.py
index e75b8ec..980672a 100644
--- a/patrole_tempest_plugin/rbac_exceptions.py
+++ b/patrole_tempest_plugin/rbac_exceptions.py

@@ -41,8 +41,27 @@
     message = "RBAC resource setup failed"
 
 
-class RbacOverPermission(exceptions.TempestException):
-    message = "Action performed that should not be permitted"
+class RbacOverPermissionException(exceptions.TempestException):
+    """Raised when the expected result is failure but the actual result is
+    pass.
+    """
+    message = "Unauthorized action was allowed to be performed"
+
+
+class RbacUnderPermissionException(exceptions.TempestException):
+    """Raised when the expected result is pass but the actual result is
+    failure.
+    """
+    message = "Authorized action was not allowed to be performed"
+
+
+class RbacExpectedWrongException(exceptions.TempestException):
+    """Raised when the expected exception does not match the actual exception
+    raised, when both are instances of Forbidden or NotFound, indicating
+    the test provides a wrong argument to `expected_error_codes`.
+    """
+    message = ("Expected %(expected)s to be raised but %(actual)s was raised "
+               "instead. Actual exception: %(exception)s")
 
 
 class RbacInvalidService(exceptions.TempestException):