| Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 1 | --- |
| 2 | features: |
| 3 | - | |
| 4 | Patrole now offers support for multiple policies. The ``rules`` argument |
| 5 | has been added to the ``rbac_rule_validation.action`` decorator, which |
| 6 | takes a list of policy names which Patrole will use to determine the |
| 7 | expected test result. This allows Patrole to more accurately determine |
| 8 | whether RBAC is configured correctly, since some API endpoints enforce |
| 9 | multiple policies. |
| Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 10 | |
| 11 | Multiple policy support includes the capability to specify multiple |
| 12 | expected error codes, as some components may return different error codes |
| 13 | for different roles due to checking multiple policy rules. The |
| 14 | ``expected_error_codes`` argument has been added to the |
| 15 | ``rbac_rule_validation.action`` decorator, which is a list of error codes |
| 16 | expected when the corresponding rule in the ``rules`` list is disallowed |
| 17 | to perform the API action. For this reason, the error codes in the |
| 18 | ``expected_error_codes`` list must appear in the same order as their |
| 19 | corresponding rules in the ``rules`` list. For example: |
| 20 | |
| 21 | expected_error_codes[0] is the error code for the rules[0] rule. |
| 22 | expected_error_codes[1] is the error code for the rules[1] rule. |
| 23 | ... |
| 24 | |
| Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 25 | deprecations: |
| 26 | - | |
| 27 | The ``rule`` argument in the ``rbac_rule_validation.action`` decorator has |
| 28 | been deprecated in favor of ``rules``. |
| Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 29 | |
| 30 | The ``expected_error_code`` argument in the ``rbac_rule_validation.action`` |
| 31 | decorator has been deprecated in favor of ``expected_error_codes``. |