Merge "refactor: Rename PluginRbacTest => ExtRbacTest"
diff --git a/.zuul.yaml b/.zuul.yaml
index 555f6f7..085e775 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -31,7 +31,8 @@
neutron-trunk: true
tempest_concurrency: 2
tempest_test_regex: (?!.*\[.*\bslow\b.*\])(^patrole_tempest_plugin\.tests\.api)
- tox_envlist: all-plugin
+ tox_envlist: all
+ tox_extra_args: --sitepackages
- job:
name: patrole-base-multinode
@@ -60,7 +61,8 @@
neutron: true
tempest_concurrency: 1
tempest_test_regex: (?=.*\[.*\bslow\b.*\])(^patrole_tempest_plugin\.tests\.api)
- tox_envlist: all-plugin
+ tox_envlist: all
+ tox_extra_args: --sitepackages
- job:
name: patrole-admin
diff --git a/README.rst b/README.rst
index 6ca3747..31cd3b7 100644
--- a/README.rst
+++ b/README.rst
@@ -153,10 +153,11 @@
will run the same set of tests as the default gate jobs.
- You can also run Patrole tests using `tox`_. To do so, ``cd`` into the
+ You can also run Patrole tests using `tox`_, but as Patrole needs access to
+ global packages use ``--sitepackages`` argument. To do so, ``cd`` into the
**Tempest** directory and run::
- $ tox -eall-plugin -- patrole_tempest_plugin.tests.api
+ $ tox -eall --sitepackages -- patrole_tempest_plugin.tests.api
.. note::
diff --git a/REVIEWING.rst b/REVIEWING.rst
index 7e3c71f..4ee847f 100644
--- a/REVIEWING.rst
+++ b/REVIEWING.rst
@@ -109,6 +109,58 @@
whether to skip or not.
+Multi-Policy Guidelines
+-----------------------
+
+Care should be taken when using multiple policies in an RBAC test. The
+following guidelines should be followed before deciding to add multiple
+policies to a Patrole test.
+
+.. _general-multi-policy-guidelines:
+
+General Multi-policy API Code Guidelines
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The list below enumerates guidelines beginning with those with the highest
+priority and ending with those with the lowest priority. A higher priority
+item takes precedence over lower priority items.
+
+#. Order the policies in the ``rules`` parameter chronologically with respect
+ to the order they're called by the API endpoint under test.
+#. Only use policies that map to the API by referencing the appropriate policy
+ in code documentation.
+#. Only include the minimum number of policies needed to test the API
+ correctly: don't add extraneous policies.
+#. If possible, only use policies that directly relate to the API. If the
+ policies are used across multiple APIs, try to omit it. If a "generic"
+ policy needs to be added to get the test to pass, then this is fair game.
+#. Limit the number of policies to a reasonable number, such as 3.
+
+Neutron Multi-policy API Code Guidelines
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Because Neutron can raise a 403 or 404 following failed authorization, Patrole
+uses the ``expected_error_codes`` parameter to accommodate this behavior.
+Each policy action enumerated in ``rules`` must have a corresponding entry
+in ``expected_error_codes``. Each expected error code must be either a 403 or a
+404, which indicates that, when policy enforcement fails for the corresponding
+policy action, that error code is expected by Patrole. For more information
+about these parameters, see :ref:`rbac-validation`.
+
+The list below enumerates additional multi-policy guidelines that apply in
+particular to Neutron. A higher priority item takes precedence over lower
+priority items.
+
+#. Order the expected error codes in the ``expected_error_codes`` parameter
+ chronologically with respect to the order each corresponding policy in
+ ``rules`` is authorized by the API under test.
+#. Ensure the :ref:`neutron-multi-policy-validation` is followed when
+ determining the expected error code for each corresponding policy.
+
+The same guidelines under :ref:`general-multi-policy-guidelines` should be
+applied afterward.
+
+
Release Notes
-------------
Release notes are how we indicate to users and other consumers of Patrole what
diff --git a/doc/source/index.rst b/doc/source/index.rst
index c03aac6..a9dcdc0 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -17,6 +17,7 @@
:maxdepth: 2
rbac-overview
+ multi-policy-validation
User's Guide
============
diff --git a/doc/source/multi-policy-validation.rst b/doc/source/multi-policy-validation.rst
new file mode 100644
index 0000000..d38b31e
--- /dev/null
+++ b/doc/source/multi-policy-validation.rst
@@ -0,0 +1,187 @@
+.. _multi-policy-validation:
+
+=======================
+Multi-policy Validation
+=======================
+
+Introduction
+------------
+
+Multi-policy validation exists in Patrole because if one policy were assumed,
+then tests could fail because they would not consider all the policies actually
+being enforced. The reasoning can be found in `this spec`_. Basically,
+since Patrole derives the expected test result dynamically in order to test any
+role, each policy enforced by the API under test must be considered to derive
+an accurate expected test result, or else the expected and actual test
+results will not always match, resulting in overall test failure. For more
+information about Patrole's RBAC validation work flow, reference
+:ref:`rbac-validation`.
+
+Multi-policy support allows Patrole to more accurately offer RBAC tests for API
+endpoints that enforce multiple policy actions.
+
+.. _this spec: https://github.com/openstack/qa-specs/blob/master/specs/patrole/rbac-testing-multiple-policies.rst
+
+Scope
+-----
+
+Multiple policies should be applied only to tests that require them. Not all
+API endpoints enforce multiple policies. Some services consistently enforce
+1 policy per API, while on the other side of the spectrum, services like
+Neutron have much more involved policy enforcement work flows. See
+:ref:`neutron-multi-policy-validation` for more information.
+
+.. _neutron-multi-policy-validation:
+
+Neutron Multi-policy Validation
+-------------------------------
+
+Neutron can raise different :ref:`policy-error-codes` following failed policy
+authorization. Many endpoints in Neutron enforce multiple policies, which
+complicates matters when trying to determine whether the endpoint raises a
+403 or a 404 following unauthorized access.
+
+Multi-policy Examples
+---------------------
+
+General Examples
+^^^^^^^^^^^^^^^^
+
+Below is an example of multi-policy validation for a carefully chosen Nova API:
+
+.. code-block:: python
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rules=["os_compute_api:os-lock-server:unlock",
+ "os_compute_api:os-lock-server:unlock:unlock_override"])
+ @decorators.idempotent_id('40dfeef9-73ee-48a9-be19-a219875de457')
+ def test_unlock_server_override(self):
+ """Test force unlock server, part of os-lock-server.
+
+ In order to trigger the unlock:unlock_override policy instead
+ of the unlock policy, the server must be locked by a different
+ user than the one who is attempting to unlock it.
+ """
+ self.os_admin.servers_client.lock_server(self.server['id'])
+ self.addCleanup(self.servers_client.unlock_server, self.server['id'])
+
+ with self.rbac_utils.override_role(self):
+ self.servers_client.unlock_server(self.server['id'])
+
+While the ``expected_error_codes`` parameter is omitted in the example above,
+Patrole automatically populates it with a 403 for each policy in ``rules``.
+Therefore, in the example above, the following expected error codes/rules
+relationship is observed:
+
+* "os_compute_api:os-lock-server:unlock" => 403
+* "os_compute_api:os-lock-server:unlock:unlock_override" => 403
+
+Below is an example that uses ``expected_error_codes`` to account for the
+fact that Neutron is expected to raise a ``404`` on the first policy that
+is enforced server-side ("get_port"). Also, in this example, soft authorization
+is performed, meaning that it is necessary to check the response body for an
+attribute that is added only following successful policy authorization.
+
+.. code-block:: python
+
+ @utils.requires_ext(extension='binding', service='network')
+ @rbac_rule_validation.action(service="neutron",
+ rules=["get_port",
+ "get_port:binding:vif_type"],
+ expected_error_codes=[404, 403])
+ @decorators.idempotent_id('125aff0b-8fed-4f8e-8410-338616594b06')
+ def test_show_port_binding_vif_type(self):
+
+ # Verify specific fields of a port
+ fields = ['binding:vif_type']
+
+ with self.rbac_utils.override_role(self):
+ retrieved_port = self.ports_client.show_port(
+ self.port['id'], fields=fields)['port']
+
+ # Rather than throwing a 403, the field is not present, so raise exc.
+ if fields[0] not in retrieved_port:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='binding:vif_type')
+
+Note that in the example above, failure to authorize
+"get_port:binding:vif_type" results in the response body getting successfully
+returned by the server, but without additional dictionary keys. If Patrole
+fails to find those expected keys, it *acts as though* a 403 was thrown (by
+raising an exception itself, the ``rbac_rule_validation`` decorator handles
+the rest).
+
+Neutron Examples
+^^^^^^^^^^^^^^^^
+
+A basic Neutron example that only expects 403's to be raised:
+
+.. code-block:: python
+
+ @utils.requires_ext(extension='external-net', service='network')
+ @rbac_rule_validation.action(service="neutron",
+ rules=["create_network",
+ "create_network:router:external"],
+ expected_error_codes=[403, 403])
+ @decorators.idempotent_id('51adf2a7-739c-41e0-8857-3b4c460cbd24')
+ def test_create_network_router_external(self):
+
+ """Create External Router Network Test
+
+ RBAC test for the neutron create_network:router:external policy
+ """
+ with self.rbac_utils.override_role(self):
+ self._create_network(router_external=True)
+
+Note that above the following expected error codes/rules relationship is
+observed:
+
+* "create_network" => 403
+* "create_network:router:external" => 403
+
+A more involved example that expects a 404 to be raised, should the first
+policy under ``rules`` fail authorization, and a 403 to be raised for any
+subsequent policy authorization failure:
+
+.. code-block:: python
+
+ @rbac_rule_validation.action(service="neutron",
+ rules=["get_network",
+ "update_network",
+ "update_network:shared"],
+ expected_error_codes=[404, 403, 403])
+ @decorators.idempotent_id('37ea3e33-47d9-49fc-9bba-1af98fbd46d6')
+ def test_update_network_shared(self):
+
+ """Update Shared Network Test
+
+ RBAC test for the neutron update_network:shared policy
+ """
+ with self.rbac_utils.override_role(self):
+ self._update_network(shared_network=True)
+ self.addCleanup(self._update_network, shared_network=False)
+
+Note that above the following expected error codes/rules relationship is
+observed:
+
+* "get_network" => 404
+* "update_network" => 403
+* "update_network:shared" => 403
+
+Limitations
+-----------
+
+Multi-policy validation in RBAC tests comes with limitations, due to technical
+and practical challenges.
+
+Technically, there are challenges associated with multiple policies across
+cross-service API communication in OpenStack, such as between Nova and Cinder
+or Nova and Neutron. The current framework does not account for these
+cross-service policy enforcement workflows, and it is still up for debate
+whether it should.
+
+Practically, it is not possible to enumerate every policy enforced by every API
+in Patrole, as the maintenance overhead would be huge.
+
+.. _Neutron policy documentation: https://docs.openstack.org/neutron/pike/contributor/internals/policy.html
diff --git a/doc/source/rbac-overview.rst b/doc/source/rbac-overview.rst
index 09ab17d..acfd66f 100644
--- a/doc/source/rbac-overview.rst
+++ b/doc/source/rbac-overview.rst
@@ -124,12 +124,9 @@
degree of log tracing is required by developers to confirm that the expected
policies are getting enforced, prior to the tests getting merged.
-.. todo::
+For more information, see :ref:`multi-policy-validation`.
- Link to multi-policy validation documentation section once it has been
- written.
-
-.. _error-codes:
+.. _policy-error-codes:
Error Codes
-----------
@@ -196,7 +193,7 @@
in an exception getting raised or a boolean value getting returned.
Hard authorization results in an exception getting raised. Usually, this
results in a ``403 Forbidden`` getting returned for unauthorized requests.
- (See :ref:`error-codes` for further details.)
+ (See :ref:`policy-error-codes` for further details.)
Related term: :term:`soft authorization`.
diff --git a/patrole_tempest_plugin/rbac_exceptions.py b/patrole_tempest_plugin/rbac_exceptions.py
index 6bdd7df..ad697b0 100644
--- a/patrole_tempest_plugin/rbac_exceptions.py
+++ b/patrole_tempest_plugin/rbac_exceptions.py
@@ -20,16 +20,34 @@
message = "An unknown RBAC exception occurred"
-class RbacMalformedResponse(BasePatroleException):
- message = ("The response body is missing the expected %(attribute)s due "
- "to policy enforcement failure.")
+class BasePatroleResponseBodyException(BasePatroleException):
+ message = "Response body incomplete due to RBAC authorization failure"
- def __init__(self, empty=False, **kwargs):
- if empty:
- self.message = ("The response body is empty due to policy "
- "enforcement failure.")
- kwargs = {}
- super(RbacMalformedResponse, self).__init__(**kwargs)
+
+class RbacMissingAttributeResponseBody(BasePatroleResponseBodyException):
+ """Raised when a list or show action is missing an attribute following
+ RBAC authorization failure.
+ """
+ message = ("The response body is missing the expected %(attribute)s due "
+ "to policy enforcement failure")
+
+
+class RbacPartialResponseBody(BasePatroleResponseBodyException):
+ """Raised when a list action only returns a subset of the available
+ resources.
+
+ For example, admin can return more resources than member for a list action.
+ """
+ message = ("The response body only lists a subset of the available "
+ "resources due to partial policy enforcement failure. Response "
+ "body: %(body)s")
+
+
+class RbacEmptyResponseBody(BasePatroleResponseBodyException):
+ """Raised when a list or show action is empty following RBAC authorization
+ failure.
+ """
+ message = ("The response body is empty due to policy enforcement failure.")
class RbacResourceSetupFailed(BasePatroleException):
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 575e2c3..9ca437b 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -198,7 +198,8 @@
test_status = ('Error, %s' % (msg))
LOG.error(msg)
except (expected_exception,
- rbac_exceptions.RbacMalformedResponse) as actual_exception:
+ rbac_exceptions.BasePatroleResponseBodyException) \
+ as actual_exception:
caught_exception = actual_exception
test_status = 'Denied'
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
index 317c1ad..8d4d70f 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
@@ -50,7 +50,7 @@
expected_attr = 'os-flavor-access:is_public'
if expected_attr not in body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -71,7 +71,7 @@
# If the `expected_attr` was not found in any flavor, then policy
# enforcement failed.
if not public_flavors:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@decorators.idempotent_id('39cb5c8f-9990-436f-9282-fc76a41d9bac')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
index 0748e67..cbb2e19 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
@@ -45,7 +45,7 @@
with self.rbac_utils.override_role(self):
result = self.flavors_client.list_flavors(detail=True)['flavors']
if 'rxtx_factor' not in result[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='rxtx_factor')
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -59,5 +59,5 @@
result = self.flavors_client.show_flavor(
CONF.compute.flavor_ref)['flavor']
if 'rxtx_factor' not in result:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='rxtx_factor')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
index f6c1b67..e16222c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_images_rbac.py
@@ -294,7 +294,7 @@
expected_attr = 'OS-EXT-IMG-SIZE:size'
if expected_attr not in body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -310,5 +310,5 @@
expected_attr = 'OS-EXT-IMG-SIZE:size'
if expected_attr not in body[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
index a64bd20..0ff6ebe 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
@@ -403,5 +403,5 @@
server = self.servers_client.show_server(self.server_id)['server']
if 'host_status' not in server:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='host_status')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
index 88bea25..64e1300 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -143,7 +143,7 @@
expected_attr = 'config_drive'
# If the first server contains "config_drive", then all the others do.
if expected_attr not in body[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -159,7 +159,7 @@
body = self.servers_client.show_server(self.server['id'])['server']
expected_attr = 'config_drive'
if expected_attr not in body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@utils.requires_ext(extension='os-deferred-delete', service='compute')
@@ -188,7 +188,7 @@
body = self.servers_client.list_servers(detail=True)['servers']
# If the first server contains `expected_attr`, then all the others do.
if expected_attr not in body[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -205,7 +205,7 @@
with self.rbac_utils.override_role(self):
body = self.servers_client.show_server(self.server['id'])['server']
if expected_attr not in body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -229,7 +229,7 @@
for attr in ('host', 'instance_name'):
whole_attr = 'OS-EXT-SRV-ATTR:%s' % attr
if whole_attr not in body[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=whole_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -253,7 +253,7 @@
for attr in ('host', 'instance_name'):
whole_attr = 'OS-EXT-SRV-ATTR:%s' % attr
if whole_attr not in body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=whole_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -272,7 +272,7 @@
'OS-EXT-STS:power_state')
for attr in expected_attrs:
if attr not in body[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -291,7 +291,7 @@
'OS-EXT-STS:power_state')
for attr in expected_attrs:
if attr not in body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -310,7 +310,7 @@
with self.rbac_utils.override_role(self):
body = self.servers_client.list_servers(detail=True)['servers']
if expected_attr not in body[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -329,7 +329,7 @@
with self.rbac_utils.override_role(self):
body = self.servers_client.show_server(self.server['id'])['server']
if expected_attr not in body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@utils.requires_ext(extension='os-instance-actions', service='compute')
@@ -360,12 +360,12 @@
self.server['id'], request_id)['instanceAction']
if 'events' not in instance_action:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='events')
# Microversion 2.51+ returns 'events' always, but not 'traceback'. If
# 'traceback' is also present then policy enforcement passed.
if 'traceback' not in instance_action['events'][0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='events.traceback')
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -379,7 +379,7 @@
result = self.servers_client.show_server(self.server['id'])[
'server']
if 'key_name' not in result:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='key_name')
@testtools.skipIf(CONF.policy_feature_enabled.removed_nova_policies_stein,
@@ -392,7 +392,7 @@
with self.rbac_utils.override_role(self):
result = self.servers_client.list_servers(detail=True)['servers']
if 'key_name' not in result[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='key_name')
@rbac_rule_validation.action(
@@ -514,7 +514,7 @@
body = self.servers_client.show_server(self.server['id'])['server']
for expected_attr in expected_attrs:
if expected_attr not in body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@utils.requires_ext(extension='os-simple-tenant-usage', service='compute')
diff --git a/patrole_tempest_plugin/tests/api/network/test_network_segments_rbac.py b/patrole_tempest_plugin/tests/api/network/test_network_segments_rbac.py
index c985111..b449970 100644
--- a/patrole_tempest_plugin/tests/api/network/test_network_segments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_network_segments_rbac.py
@@ -118,4 +118,4 @@
LOG.info("NotFound or Forbidden exception are not thrown when "
"role doesn't have access to the endpoint. Instead, "
"the response will have an empty network body.")
- raise rbac_exceptions.RbacMalformedResponse(empty=True)
+ raise rbac_exceptions.RbacEmptyResponseBody()
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index 96ba378..b39489a 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -363,7 +363,7 @@
self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
- raise rbac_exceptions.RbacMalformedResponse(empty=True)
+ raise rbac_exceptions.RbacEmptyResponseBody()
@utils.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -384,7 +384,7 @@
self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
- raise rbac_exceptions.RbacMalformedResponse(empty=True)
+ raise rbac_exceptions.RbacEmptyResponseBody()
@utils.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(
@@ -406,7 +406,7 @@
self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
- raise rbac_exceptions.RbacMalformedResponse(empty=True)
+ raise rbac_exceptions.RbacEmptyResponseBody()
@utils.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(
@@ -428,7 +428,7 @@
self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
- raise rbac_exceptions.RbacMalformedResponse(empty=True)
+ raise rbac_exceptions.RbacEmptyResponseBody()
@rbac_rule_validation.action(service="neutron",
rules=["get_network", "delete_network"],
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
index b65bd73..dd3537f 100644
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -183,7 +183,7 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='binding:vif_type')
@utils.requires_ext(extension='binding', service='network')
@@ -203,7 +203,7 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='binding:vif_details')
@utils.requires_ext(extension='binding', service='network')
@@ -226,7 +226,7 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='binding:host_id')
@utils.requires_ext(extension='binding', service='network')
@@ -250,7 +250,7 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='binding:profile')
@rbac_rule_validation.action(service="neutron",
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index f850a3e..399ad47 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -179,7 +179,7 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if 'distributed' not in retrieved_fields:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='distributed')
@decorators.idempotent_id('defc502c-4159-4824-b4d9-3cdcc39015b2')
@@ -201,7 +201,7 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if 'ha' not in retrieved_fields:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='ha')
@rbac_rule_validation.action(service="neutron",
diff --git a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
index 9112bf6..e9fa018 100644
--- a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
@@ -126,7 +126,7 @@
# Neutron may return an empty list if access is denied.
if not security_groups['security_groups']:
- raise rbac_exceptions.RbacMalformedResponse(empty=True)
+ raise rbac_exceptions.RbacEmptyResponseBody()
@rbac_rule_validation.action(service="neutron",
rules=["create_security_group_rule"])
@@ -170,4 +170,4 @@
# Neutron may return an empty list if access is denied.
if not security_rules['security_group_rules']:
- raise rbac_exceptions.RbacMalformedResponse(empty=True)
+ raise rbac_exceptions.RbacEmptyResponseBody()
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
index 9a5ebe4..8fe157a 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
@@ -73,7 +73,7 @@
# Neutron may return an empty list if access is denied.
if not subnets['subnets']:
- raise rbac_exceptions.RbacMalformedResponse(empty=True)
+ raise rbac_exceptions.RbacEmptyResponseBody()
@decorators.idempotent_id('f36cd821-dd22-4bd0-b43d-110fc4b553eb')
@rbac_rule_validation.action(service="neutron",
diff --git a/patrole_tempest_plugin/tests/api/volume/rbac_base.py b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
index 14b3151..1d0a44d 100644
--- a/patrole_tempest_plugin/tests/api/volume/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
@@ -32,10 +32,10 @@
def setup_clients(cls):
super(BaseVolumeRbacTest, cls).setup_clients()
cls.setup_rbac_utils()
- cls.volume_hosts_client = cls.os_primary.volume_hosts_v2_client
- cls.volume_types_client = cls.os_primary.volume_types_v2_client
- cls.groups_client = cls.os_primary.groups_v3_client
- cls.group_types_client = cls.os_primary.group_types_v3_client
+ cls.volume_hosts_client = cls.os_primary.volume_hosts_client_latest
+ cls.volume_types_client = cls.os_primary.volume_types_client_latest
+ cls.groups_client = cls.os_primary.groups_client_latest
+ cls.group_types_client = cls.os_primary.group_types_client_latest
@classmethod
def create_volume_type(cls, name=None, **kwargs):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_capabilities_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_capabilities_rbac.py
index fa1157a..3770f84 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_capabilities_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_capabilities_rbac.py
@@ -32,8 +32,9 @@
@classmethod
def setup_clients(cls):
super(CapabilitiesV3RbacTest, cls).setup_clients()
- cls.capabilities_client = cls.os_primary.volume_capabilities_v2_client
- cls.hosts_client = cls.os_primary.volume_hosts_v2_client
+ cls.capabilities_client = \
+ cls.os_primary.volume_capabilities_client_latest
+ cls.hosts_client = cls.os_primary.volume_hosts_client_latest
@rbac_rule_validation.action(service="cinder",
rules=["volume_extension:capabilities"])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_encryption_types_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_encryption_types_rbac.py
index 0eb0244..8443943 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_encryption_types_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_encryption_types_rbac.py
@@ -56,7 +56,8 @@
@classmethod
def setup_clients(cls):
super(EncryptionTypesV3RbacTest, cls).setup_clients()
- cls.encryption_types_client = cls.os_primary.encryption_types_v2_client
+ cls.encryption_types_client = \
+ cls.os_primary.encryption_types_client_latest
def _create_volume_type_encryption(self):
vol_type_id = self.create_volume_type()['id']
diff --git a/patrole_tempest_plugin/tests/api/volume/test_group_snapshots_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_group_snapshots_rbac.py
index 1d59f9b..56a0233 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_group_snapshots_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_group_snapshots_rbac.py
@@ -75,7 +75,7 @@
def setup_clients(cls):
super(GroupSnaphotsV314RbacTest, cls).setup_clients()
cls.group_snapshot_client = \
- cls.os_primary.group_snapshots_v3_client
+ cls.os_primary.group_snapshots_client_latest
def setUp(self):
super(GroupSnaphotsV314RbacTest, self).setUp()
@@ -172,7 +172,7 @@
def setup_clients(cls):
super(GroupSnaphotsV319RbacTest, cls).setup_clients()
cls.group_snapshot_client = \
- cls.os_primary.group_snapshots_v3_client
+ cls.os_primary.group_snapshots_client_latest
def setUp(self):
super(GroupSnaphotsV319RbacTest, self).setUp()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
index c117d23..730e349 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
@@ -208,7 +208,7 @@
group_type = self.create_group_type(ignore_notfound=True)
if 'group_specs' not in group_type:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='group_specs')
@decorators.idempotent_id('8d9e2831-24c3-47b7-a76a-2e563287f12f')
@@ -221,5 +221,5 @@
resp_body = self.group_types_client.show_group_type(
group_type['id'])['group_type']
if 'group_specs' not in resp_body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='group_specs')
diff --git a/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
index 3127d83..2bd0992 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_limits_rbac.py
@@ -51,4 +51,5 @@
'limits']['absolute']
for key in expected_keys:
if key not in absolute_limits:
- raise rbac_exceptions.RbacMalformedResponse(attribute=key)
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
+ attribute=key)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
index 5664bf9..2f144b0 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_qos_rbac.py
@@ -27,7 +27,7 @@
@classmethod
def setup_clients(cls):
super(VolumeQOSV3RbacTest, cls).setup_clients()
- cls.qos_client = cls.os_primary.volume_qos_v2_client
+ cls.qos_client = cls.os_primary.volume_qos_client_latest
def _create_test_qos_specs(self, name=None, consumer=None, **kwargs):
name = name or data_utils.rand_name(self.__class__.__name__ + '-QoS')
diff --git a/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py
index efcfdaf..ff12cba 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_scheduler_stats_rbac.py
@@ -33,7 +33,7 @@
def setup_clients(cls):
super(SchedulerStatsV3RbacTest, cls).setup_clients()
cls.scheduler_stats_client =\
- cls.os_primary.volume_scheduler_stats_v2_client
+ cls.os_primary.volume_scheduler_stats_client_latest
@rbac_rule_validation.action(
service="cinder",
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py
index e2887e0..1fc4c24 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshot_manage_rbac.py
@@ -40,7 +40,8 @@
@classmethod
def setup_clients(cls):
super(SnapshotManageRbacTest, cls).setup_clients()
- cls.snapshot_manage_client = cls.os_primary.snapshot_manage_v2_client
+ cls.snapshot_manage_client = \
+ cls.os_primary.snapshot_manage_client_latest
@classmethod
def resource_setup(cls):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_user_messages_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_user_messages_rbac.py
index 962a9b1..11c42b1 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_user_messages_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_user_messages_rbac.py
@@ -31,7 +31,7 @@
@classmethod
def setup_clients(cls):
super(MessagesV3RbacTest, cls).setup_clients()
- cls.messages_client = cls.os_primary.volume_v3_messages_client
+ cls.messages_client = cls.os_primary.volume_messages_client_latest
def _create_user_message(self):
"""Trigger a 'no valid host' situation to generate a message."""
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
index 6c2c84d..7e0044d 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
@@ -111,7 +111,7 @@
'volumes']
expected_attr = 'volume_image_metadata'
if expected_attr not in resp_body[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@decorators.idempotent_id('53f94d52-0dd5-42cf-a3a4-59b35150b3d5')
@@ -129,7 +129,7 @@
'volume']
expected_attr = 'volume_image_metadata'
if expected_attr not in resp_body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@decorators.idempotent_id('a9d9e825-5ea3-42e6-96f3-7ac4e97b2ed0')
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py
index cd1fb6e..f49c2fd 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py
@@ -32,7 +32,7 @@
@classmethod
def setup_clients(cls):
super(VolumeQuotasV3RbacTest, cls).setup_clients()
- cls.quotas_client = cls.os_primary.volume_quotas_v2_client
+ cls.quotas_client = cls.os_primary.volume_quotas_client_latest
def _restore_default_quota_set(self):
default_quota_set = self.quotas_client.show_default_quota_set(
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_services_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_services_rbac.py
index 9f97a82..0f4e458 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_services_rbac.py
@@ -36,7 +36,7 @@
@classmethod
def setup_clients(cls):
super(VolumeServicesV3RbacTest, cls).setup_clients()
- cls.services_client = cls.os_primary.volume_services_v2_client
+ cls.services_client = cls.os_primary.volume_services_client_latest
@decorators.idempotent_id('b9134f01-97c0-4abd-9455-fe2f03e3f966')
@rbac_rule_validation.action(
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
index b7e45f9..5e0fd21 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
@@ -26,7 +26,7 @@
@classmethod
def setup_clients(cls):
super(VolumesTransfersV3RbacTest, cls).setup_clients()
- cls.transfers_client = cls.os_primary.volume_transfers_v2_client
+ cls.transfers_client = cls.os_primary.volume_transfers_client_latest
@classmethod
def resource_setup(cls):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
index bf22341..0efeb33 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -210,7 +210,7 @@
# Show backup API attempts to inject the attribute below into the
# response body but only if policy enforcement succeeds.
if self.expected_attr not in body:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=self.expected_attr)
@decorators.idempotent_id('aa40b7c0-5974-48be-8cbc-e23cc61c4c68')
@@ -221,7 +221,7 @@
body = self.backups_client.list_backups(detail=True)['backups']
if self.expected_attr not in body[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=self.expected_attr)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_manage_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_manage_rbac.py
index 2782e22..9f21c4a 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_manage_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_manage_rbac.py
@@ -41,7 +41,7 @@
@classmethod
def setup_clients(cls):
super(VolumesManageV3RbacTest, cls).setup_clients()
- cls.volume_manage_client = cls.os_primary.volume_manage_v2_client
+ cls.volume_manage_client = cls.os_primary.volume_manage_client_latest
def _manage_volume(self, org_volume):
# Manage volume
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
index 40469a2..55adf1a 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
@@ -76,7 +76,7 @@
self.snapshot['id'])['snapshot']
for expected_attr in expected_attrs:
if expected_attr not in resp:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
@rbac_rule_validation.action(service="cinder",
@@ -136,5 +136,5 @@
resp = self._list_by_param_values(with_detail=True, **params)
for expected_attr in expected_attrs:
if expected_attr not in resp[0]:
- raise rbac_exceptions.RbacMalformedResponse(
+ raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
index 1531df1..9e547b8 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
@@ -46,8 +46,9 @@
project_id=mock.sentinel.project_id)
setattr(self.mock_test_args.os_primary, 'credentials', mock_creds)
+ self.test_roles = ['member']
self.useFixture(
- patrole_fixtures.ConfPatcher(rbac_test_roles=['member'],
+ patrole_fixtures.ConfPatcher(rbac_test_roles=self.test_roles,
group='patrole'))
# Disable patrole log for unit tests.
self.useFixture(
@@ -69,9 +70,10 @@
project_id=mock.sentinel.project_id)
setattr(self.mock_test_args.os_primary, 'credentials', mock_creds)
+ self.test_roles = ['member', 'anotherrole']
self.useFixture(
- patrole_fixtures.ConfPatcher(
- rbac_test_roles=['member', 'anotherrole'], group='patrole'))
+ patrole_fixtures.ConfPatcher(rbac_test_roles=self.test_roles,
+ group='patrole'))
# Disable patrole log for unit tests.
self.useFixture(
patrole_fixtures.ConfPatcher(enable_reporting=False,
@@ -150,43 +152,66 @@
@mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch.object(rbac_rv, 'policy_authority', autospec=True)
- def test_rule_validation_rbac_malformed_response_positive(
+ def test_rule_validation_rbac_failed_response_body_positive(
self, mock_authority, mock_log):
- """Test RbacMalformedResponse error is thrown without permission
- passes.
+ """Test BasePatroleResponseBodyException error is thrown without
+ permission passes.
- Positive test case: if RbacMalformedResponse is thrown and the user is
- not allowed to perform the action, then this is a success.
+ Positive test case: if subclass of BasePatroleResponseBodyException is
+ thrown and the user is not allowed to perform the action, then this is
+ a success.
"""
mock_authority.PolicyAuthority.return_value.allowed.return_value =\
False
- @rbac_rv.action(mock.sentinel.service, rules=[mock.sentinel.action])
- def test_policy(*args):
- raise rbac_exceptions.RbacMalformedResponse()
+ def _do_test(exception_cls, **kwargs):
+ @rbac_rv.action(mock.sentinel.service,
+ rules=[mock.sentinel.action])
+ def test_policy(*args):
+ raise exception_cls(**kwargs)
- mock_log.error.assert_not_called()
+ mock_log.error.assert_not_called()
+ mock_log.warning.assert_not_called()
+
+ _do_test(rbac_exceptions.RbacMissingAttributeResponseBody,
+ attribute=mock.sentinel.attr)
+ _do_test(rbac_exceptions.RbacPartialResponseBody,
+ body=mock.sentinel.body)
+ _do_test(rbac_exceptions.RbacEmptyResponseBody)
@mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch.object(rbac_rv, 'policy_authority', autospec=True)
- def test_rule_validation_rbac_malformed_response_negative(
+ def test_rule_validation_soft_authorization_exceptions(
self, mock_authority, mock_log):
- """Test RbacMalformedResponse error is thrown with permission fails.
+ """Test RbacUnderPermissionException error is thrown when any of the
+ soft authorization-related exceptions are raised by a test.
- Negative test case: if RbacMalformedResponse is thrown and the user is
- allowed to perform the action, then this is an expected failure.
+ Negative test case: if subclass of BasePatroleResponseBodyException is
+ thrown and the user is allowed to perform the action, then this is an
+ expected failure.
"""
mock_authority.PolicyAuthority.return_value.allowed.return_value = True
- @rbac_rv.action(mock.sentinel.service, rules=[mock.sentinel.action])
- def test_policy(*args):
- raise rbac_exceptions.RbacMalformedResponse()
+ def _do_test(exception_cls, **kwargs):
+ @rbac_rv.action(mock.sentinel.service,
+ rules=[mock.sentinel.action])
+ def test_policy(*args):
+ raise exception_cls(**kwargs)
- test_re = ("User with roles \['member'\] was not allowed to perform "
- "the following actions: \[%s\]. " % (mock.sentinel.action))
- self.assertRaisesRegex(rbac_exceptions.RbacUnderPermissionException,
- test_re, test_policy, self.mock_test_args)
- self.assertRegex(mock_log.error.mock_calls[0][1][0], test_re)
+ test_re = (".*User with roles \[%s\] was not allowed to "
+ "perform the following actions: \[%s\].*" % (
+ ', '.join("'%s'" % r for r in self.test_roles),
+ mock.sentinel.action))
+ self.assertRaisesRegex(
+ rbac_exceptions.RbacUnderPermissionException, test_re,
+ test_policy, self.mock_test_args)
+ self.assertRegex(mock_log.error.mock_calls[0][1][0], test_re)
+
+ _do_test(rbac_exceptions.RbacMissingAttributeResponseBody,
+ attribute=mock.sentinel.attr)
+ _do_test(rbac_exceptions.RbacPartialResponseBody,
+ body=mock.sentinel.body)
+ _do_test(rbac_exceptions.RbacEmptyResponseBody)
@mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch.object(rbac_rv, 'policy_authority', autospec=True)
@@ -399,28 +424,6 @@
@mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch.object(rbac_rv, 'policy_authority', autospec=True)
- def test_rule_validation_rbac_malformed_response_negative(
- self, mock_authority, mock_log):
- """Test RbacMalformedResponse error is thrown with permission fails.
-
- Negative test case: if RbacMalformedResponse is thrown and the user is
- allowed to perform the action, then this is an expected failure.
- """
- mock_authority.PolicyAuthority.return_value.allowed.return_value = True
-
- @rbac_rv.action(mock.sentinel.service, rules=[mock.sentinel.action])
- def test_policy(*args):
- raise rbac_exceptions.RbacMalformedResponse()
-
- test_re = ("User with roles \['member', 'anotherrole'\] was not "
- "allowed to perform the following actions: \[%s\]. " %
- (mock.sentinel.action))
- self.assertRaisesRegex(rbac_exceptions.RbacUnderPermissionException,
- test_re, test_policy, self.mock_test_args)
- self.assertRegex(mock_log.error.mock_calls[0][1][0], test_re)
-
- @mock.patch.object(rbac_rv, 'LOG', autospec=True)
- @mock.patch.object(rbac_rv, 'policy_authority', autospec=True)
def test_expect_not_found_and_raise_not_found(self, mock_authority,
mock_log):
"""Test that expecting 404 and getting 404 works for all scenarios.
@@ -960,7 +963,7 @@
def test_rule_validation_override_role_patrole_exception_ignored(
self, mock_authority):
"""Test success case where Patrole exception is raised (which is
- valid in case of e.g. RbacMalformedException) after override_role
+ valid in case of e.g. RbacPartialResponseBody) after override_role
passes.
"""
mock_authority.PolicyAuthority.return_value.allowed.return_value =\
diff --git a/releasenotes/notes/break-up-rbac-malformed-exception-into-discrete-exceptions-92aedb99d0a13f58.yaml b/releasenotes/notes/break-up-rbac-malformed-exception-into-discrete-exceptions-92aedb99d0a13f58.yaml
new file mode 100644
index 0000000..0a93b64
--- /dev/null
+++ b/releasenotes/notes/break-up-rbac-malformed-exception-into-discrete-exceptions-92aedb99d0a13f58.yaml
@@ -0,0 +1,25 @@
+---
+features:
+ - |
+ The exception class ``RbacMalformedException`` has been broken up into the
+ following discrete exceptions:
+
+ * ``RbacMissingAttributeResponseBody`` - incomplete means that the
+ response body (for show or list) is missing certain attributes
+ * ``RbacPartialResponseBody`` - partial means that a list response
+ only returned a subset of the possible results available.
+ * ``RbacEmptyResponseBody`` - empty means that the show or list
+ response body is entirely empty
+
+ Each of the exception classes above deals with a different type of failure
+ related to a soft authorization failure. This means that, rather than a
+ 403 error code getting returned by the server, the response body is
+ incomplete in some way.
+upgrade:
+ - |
+ The exception class ``RbacMalformedException`` has been removed. Use one
+ of the following exception classes instead:
+
+ * ``RbacMissingAttributeResponseBody``
+ * ``RbacPartialResponseBody``
+ * ``RbacEmptyResponseBody``