| DavidPurcell | b25f93d | 2017-01-27 12:46:27 -0500 | [diff] [blame] | 1 | # Copyright 2017 AT&T Corporation. |
| DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 2 | # All Rights Reserved. |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 5 | # not use this file except in compliance with the License. You may obtain |
| 6 | # a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 13 | # License for the specific language governing permissions and limitations |
| 14 | # under the License. |
| 15 | |
| Felipe Monteiro | b059565 | 2017-01-23 16:51:58 -0500 | [diff] [blame] | 16 | import logging |
| 17 | |
| DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 18 | from tempest import config |
| 19 | from tempest.lib import exceptions |
| 20 | |
| 21 | from patrole_tempest_plugin import rbac_auth |
| 22 | from patrole_tempest_plugin import rbac_exceptions |
| 23 | |
| 24 | CONF = config.CONF |
| 25 | LOG = logging.getLogger(__name__) |
| 26 | |
| 27 | |
| Felipe Monteiro | b059565 | 2017-01-23 16:51:58 -0500 | [diff] [blame] | 28 | def action(service, rule): |
| DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 29 | def decorator(func): |
| 30 | def wrapper(*args, **kwargs): |
| Felipe Monteiro | cbd0617 | 2017-01-24 13:49:16 -0500 | [diff] [blame] | 31 | try: |
| 32 | tenant_id = args[0].auth_provider.credentials.tenant_id |
| 33 | except (IndexError, AttributeError) as e: |
| 34 | msg = ("{0}: tenant_id not found in " |
| 35 | "cls.auth_provider.credentials".format(e)) |
| 36 | LOG.error(msg) |
| 37 | raise rbac_exceptions.RbacResourceSetupFailed(msg) |
| 38 | authority = rbac_auth.RbacAuthority(tenant_id, service) |
| DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 39 | allowed = authority.get_permission(rule, CONF.rbac.rbac_test_role) |
| 40 | |
| 41 | try: |
| 42 | func(*args) |
| 43 | except exceptions.Forbidden as e: |
| 44 | if allowed: |
| 45 | msg = ("Role %s was not allowed to perform %s." % |
| 46 | (CONF.rbac.rbac_test_role, rule)) |
| 47 | LOG.error(msg) |
| 48 | raise exceptions.Forbidden( |
| 49 | "%s exception was: %s" % |
| 50 | (msg, e)) |
| 51 | except rbac_exceptions.RbacActionFailed as e: |
| 52 | if allowed: |
| 53 | msg = ("Role %s was not allowed to perform %s." % |
| 54 | (CONF.rbac.rbac_test_role, rule)) |
| 55 | LOG.error(msg) |
| 56 | raise exceptions.Forbidden( |
| 57 | "%s RbacActionFailed was: %s" % |
| 58 | (msg, e)) |
| 59 | else: |
| 60 | if not allowed: |
| 61 | LOG.error("Role %s was allowed to perform %s" % |
| 62 | (CONF.rbac.rbac_test_role, rule)) |
| 63 | raise rbac_exceptions.RbacOverPermission( |
| 64 | "OverPermission: Role %s was allowed to perform %s" % |
| 65 | (CONF.rbac.rbac_test_role, rule)) |
| 66 | return wrapper |
| 67 | return decorator |