Felipe Monteiro | eb197db | 2018-06-10 12:21:49 -0400 | [diff] [blame] | 1 | Patrole Coding Guide |
| 2 | ==================== |
DavidPurcell | 663aedf | 2017-01-03 10:01:14 -0500 | [diff] [blame] | 3 | |
gaozx | 6f663e0 | 2017-08-10 10:24:16 +0800 | [diff] [blame] | 4 | - Step 1: Read the OpenStack Style Commandments: `<https://docs.openstack.org/hacking/latest/>`__ |
| 5 | - Step 2: Review Tempest's Style Commandments: `<https://docs.openstack.org/tempest/latest/HACKING.html>`__ |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 6 | - Step 3: Read on |
Felipe Monteiro | 7bc35dc | 2017-04-19 21:11:46 +0100 | [diff] [blame] | 7 | |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 8 | Patrole Specific Commandments |
| 9 | ------------------------------ |
| 10 | |
| 11 | Patrole borrows the following commandments from Tempest; refer to |
gaozx | 6f663e0 | 2017-08-10 10:24:16 +0800 | [diff] [blame] | 12 | `Tempest's Commandments <https://docs.openstack.org/tempest/latest/HACKING.html>`__ |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 13 | for more information: |
| 14 | |
| 15 | .. note:: |
| 16 | |
| 17 | The original Tempest Commandments do not include Patrole-specific paths. |
| 18 | Patrole-specific paths replace the Tempest-specific paths within Patrole's |
| 19 | hacking checks. |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 20 | |
Felipe Monteiro | fdc4514 | 2018-07-18 20:54:20 +0100 | [diff] [blame] | 21 | - [T102] Cannot import OpenStack python clients in |
| 22 | ``patrole_tempest_plugin/tests/api`` |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 23 | - [T105] Tests cannot use setUpClass/tearDownClass |
| 24 | - [T106] vim configuration should not be kept in source files. |
| 25 | - [T107] Check that a service tag isn't in the module path |
| 26 | - [T108] Check no hyphen at the end of rand_name() argument |
| 27 | - [T109] Cannot use testtools.skip decorator; instead use |
Felipe Monteiro | fdc4514 | 2018-07-18 20:54:20 +0100 | [diff] [blame] | 28 | ``decorators.skip_because`` from ``tempest.lib`` |
| 29 | - [T113] Check that tests use ``data_utils.rand_uuid()`` instead of |
| 30 | ``uuid.uuid4()`` |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 31 | - [N322] Method's default argument shouldn't be mutable |
| 32 | |
| 33 | The following are Patrole's specific Commandments: |
| 34 | |
| 35 | - [P100] The ``rbac_rule_validation.action`` decorator must be applied to |
Felipe Monteiro | 904a02b | 2018-10-21 12:54:46 -0400 | [diff] [blame] | 36 | all RBAC tests |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 37 | - [P101] RBAC test filenames must end with "_rbac.py"; for example, |
Felipe Monteiro | fdc4514 | 2018-07-18 20:54:20 +0100 | [diff] [blame] | 38 | test_servers_rbac.py, not test_servers.py |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 39 | - [P102] RBAC test class names must end in 'RbacTest' |
Samantha Blanco | cd87077 | 2017-05-22 14:23:17 -0400 | [diff] [blame] | 40 | - [P103] ``self.client`` must not be used as a client alias; this allows for |
Felipe Monteiro | fdc4514 | 2018-07-18 20:54:20 +0100 | [diff] [blame] | 41 | code that is more maintainable and easier to read |
Felipe Monteiro | bbbdd93 | 2018-10-31 23:28:39 -0400 | [diff] [blame] | 42 | - [P104] RBAC `extension test class`_ names must end in 'ExtRbacTest' |
Felipe Monteiro | 904a02b | 2018-10-21 12:54:46 -0400 | [diff] [blame] | 43 | |
Felipe Monteiro | bbbdd93 | 2018-10-31 23:28:39 -0400 | [diff] [blame] | 44 | .. _extension test class: https://github.com/openstack/patrole/tree/master/patrole_tempest_plugin/tests/api/network#neutron-extension-rbac-tests |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 45 | |
Felipe Monteiro | e36a973 | 2018-11-16 17:28:52 +0000 | [diff] [blame] | 46 | Supported OpenStack Components |
| 47 | ------------------------------ |
| 48 | |
| 49 | Patrole only offers **in-tree** integration testing coverage for the following |
| 50 | components: |
| 51 | |
| 52 | * Cinder |
| 53 | * Glance |
| 54 | * Keystone |
| 55 | * Neutron |
| 56 | * Nova |
| 57 | |
| 58 | Patrole currently has no stable library, so reliance upon Patrole's framework |
| 59 | for external RBAC testing should be done with caution. Nonetheless, even when |
| 60 | Patrole has a stable library, it will only offer in-tree RBAC testing for |
| 61 | the components listed above. |
| 62 | |
Felipe Monteiro | 1c8620a | 2018-02-25 18:52:22 +0000 | [diff] [blame] | 63 | Role Overriding |
| 64 | --------------- |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 65 | |
Felipe Monteiro | 1c8620a | 2018-02-25 18:52:22 +0000 | [diff] [blame] | 66 | Correct role overriding is vital to correct RBAC testing within Patrole. If a |
| 67 | test does not call ``rbac_utils.override_role`` within the RBAC test, followed |
| 68 | by the API endpoint that enforces the expected policy action, then the test is |
| 69 | **not** a valid Patrole test: The API endpoint under test will be performed |
| 70 | with admin role, which is always wrong unless ``CONF.patrole.rbac_test_role`` |
| 71 | is also admin. |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 72 | |
Felipe Monteiro | 1c8620a | 2018-02-25 18:52:22 +0000 | [diff] [blame] | 73 | .. todo:: |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 74 | |
Felipe Monteiro | 1c8620a | 2018-02-25 18:52:22 +0000 | [diff] [blame] | 75 | Patrole does not have a hacking check for role overriding, but one may be |
| 76 | added in the future. |
Felipe Monteiro | 9ae705d | 2018-03-26 22:14:44 -0400 | [diff] [blame] | 77 | |
| 78 | Branchless Patrole Considerations |
| 79 | --------------------------------- |
| 80 | |
| 81 | Like Tempest, Patrole is branchless. This is to better ensure API and RBAC |
| 82 | consistency between releases because API and RBAC behavior should not change |
| 83 | between releases. This means that the stable branches are also gated by the |
| 84 | Patrole master branch, which also means that proposed commits to Patrole must |
| 85 | work against both the master and all the currently supported stable branches |
| 86 | of the projects. As such there are a few special considerations that have to |
| 87 | be accounted for when pushing new changes to Patrole. |
| 88 | |
| 89 | 1. New Tests for new features |
| 90 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 91 | |
| 92 | Patrole, like Tempest, *implicitly* tests new features because new policies |
| 93 | oftentimes accompany new features. The same `Tempest philosophy`_ regarding |
| 94 | feature flags and new features also applies to Patrole. |
| 95 | |
| 96 | .. _Tempest philosophy: https://docs.openstack.org/tempest/latest/HACKING.html#new-tests-for-new-features |
| 97 | |
| 98 | 2. New Tests for new policies |
| 99 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 100 | |
| 101 | When adding tests for new policies that were not in previous releases of the |
| 102 | projects, the new test must be properly skipped with a feature flag. This |
| 103 | involves using the ``testtools.skip(Unless|If)`` decorator above the test |
| 104 | to check if the required policy is enabled. Similarly, a feature flag must |
| 105 | be used whenever an OpenStack service covered by Patrole changes one of its |
| 106 | policies in a backwards-incompatible way. If there isn't a method of selecting |
| 107 | the new policy from the config file then there won't be a mechanism to disable |
| 108 | the test with older stable releases and the new test won't be able to merge. |
| 109 | |
| 110 | Introduction of a new feature flag requires specifying a default value for the |
| 111 | corresponding config option that is appropriate in the latest OpenStack |
| 112 | release. Because Patrole is branchless, the feature flag's default value will |
| 113 | need to be overridden to a value that is appropriate in earlier releases in |
| 114 | which the feature isn't available. In DevStack, this can be accomplished by |
| 115 | modifying Patrole's lib installation script for previous branches (because |
| 116 | DevStack is branched). |
| 117 | |
| 118 | 3. Bug fix on core project needing Patrole changes |
| 119 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 120 | |
| 121 | When trying to land a bug fix which changes a tested API you'll have to use the |
| 122 | following procedure: |
| 123 | |
| 124 | #. Propose change to the project, get a +2 on the change even with the |
| 125 | test failing Patrole side. |
| 126 | #. Propose skip to the relevant Patrole test which will only be approved |
| 127 | after the corresponding change in the project has a +2. |
| 128 | #. Land project change in master and all open stable branches |
| 129 | (if required). |
| 130 | #. Land changed test in Patrole. |
| 131 | |
| 132 | Otherwise the bug fix won't be able to land in the project. |
| 133 | |
| 134 | 4. New Tests for existing features or policies |
| 135 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 136 | |
| 137 | The same `Tempest logic`_ regarding new tests for existing features or |
| 138 | policies also applies to Patrole. |
| 139 | |
| 140 | .. _Tempest logic: https://docs.openstack.org/tempest/latest/HACKING.html#new-tests-for-existing-features |
Felipe Monteiro | 4d4cb1e | 2018-07-29 13:44:10 -0400 | [diff] [blame] | 141 | |
| 142 | |
| 143 | Black Box vs. White Box Testing |
| 144 | ------------------------------- |
| 145 | |
| 146 | Tempest is a `black box testing framework`_, meaning that it is concerned with |
| 147 | testing public API endpoints and doesn't concern itself with testing internal |
| 148 | implementation details. Patrole, as a Tempest plugin, also falls underneath |
| 149 | the category of black box testing. However, even with policy in code |
| 150 | documentation, some degree of white box testing is required in order to |
| 151 | correctly write RBAC tests. |
| 152 | |
| 153 | This is because :ref:`policy-in-code` documentation, while useful in many |
| 154 | respects, is usually quite brief and its main purpose is to help operators |
| 155 | understand how to customize policy configuration rather than to help |
| 156 | developers understand complex policy authorization work flows. For example, |
| 157 | policy in code documentation doesn't make deriving |
| 158 | :ref:`multiple policies <multiple-policies>` easy. Such documentation also |
| 159 | doesn't usually mention that a specific parameter needs to be set, or that a |
| 160 | particular microversion must be enabled, or that a particular set of |
| 161 | prerequisite API or policy actions must be executed, in order for the policy |
| 162 | under test to be enforced by the server. This means that test writers must |
| 163 | account for the internal RBAC implementation in API code in order to correctly |
| 164 | understand the complete RBAC work flow within an API. |
| 165 | |
| 166 | Besides, as mentioned :ref:`elsewhere <design-principles>` in this |
| 167 | documentation, not all services currently implement policy in code, making |
| 168 | some degree of white box testing a "necessary evil" for writing robust RBAC |
| 169 | tests. |
| 170 | |
| 171 | .. _black box testing framework: https://docs.openstack.org/tempest/latest/HACKING.html#negative-tests |