blob: 28a977d6df2779960effc0c9e337b08eb90bb698 [file] [log] [blame]
Felipe Monteiroeb197db2018-06-10 12:21:49 -04001Patrole Coding Guide
2====================
DavidPurcell663aedf2017-01-03 10:01:14 -05003
gaozx6f663e02017-08-10 10:24:16 +08004- Step 1: Read the OpenStack Style Commandments: `<https://docs.openstack.org/hacking/latest/>`__
5- Step 2: Review Tempest's Style Commandments: `<https://docs.openstack.org/tempest/latest/HACKING.html>`__
Felipe Monteiro0854ded2017-05-05 16:30:55 +01006- Step 3: Read on
Felipe Monteiro7bc35dc2017-04-19 21:11:46 +01007
Felipe Monteiro0854ded2017-05-05 16:30:55 +01008Patrole Specific Commandments
9------------------------------
10
11Patrole borrows the following commandments from Tempest; refer to
gaozx6f663e02017-08-10 10:24:16 +080012`Tempest's Commandments <https://docs.openstack.org/tempest/latest/HACKING.html>`__
Felipe Monteiro0854ded2017-05-05 16:30:55 +010013for more information:
14
15.. note::
16
17 The original Tempest Commandments do not include Patrole-specific paths.
18 Patrole-specific paths replace the Tempest-specific paths within Patrole's
19 hacking checks.
Felipe Monteiro0854ded2017-05-05 16:30:55 +010020
Felipe Monteirofdc45142018-07-18 20:54:20 +010021- [T102] Cannot import OpenStack python clients in
22 ``patrole_tempest_plugin/tests/api``
Felipe Monteiro0854ded2017-05-05 16:30:55 +010023- [T105] Tests cannot use setUpClass/tearDownClass
24- [T106] vim configuration should not be kept in source files.
25- [T107] Check that a service tag isn't in the module path
26- [T108] Check no hyphen at the end of rand_name() argument
27- [T109] Cannot use testtools.skip decorator; instead use
Felipe Monteirofdc45142018-07-18 20:54:20 +010028 ``decorators.skip_because`` from ``tempest.lib``
29- [T113] Check that tests use ``data_utils.rand_uuid()`` instead of
30 ``uuid.uuid4()``
Felipe Monteiro0854ded2017-05-05 16:30:55 +010031- [N322] Method's default argument shouldn't be mutable
32
33The following are Patrole's specific Commandments:
34
35- [P100] The ``rbac_rule_validation.action`` decorator must be applied to
Felipe Monteirofdc45142018-07-18 20:54:20 +010036 an RBAC test
Felipe Monteiro0854ded2017-05-05 16:30:55 +010037- [P101] RBAC test filenames must end with "_rbac.py"; for example,
Felipe Monteirofdc45142018-07-18 20:54:20 +010038 test_servers_rbac.py, not test_servers.py
Felipe Monteiro0854ded2017-05-05 16:30:55 +010039- [P102] RBAC test class names must end in 'RbacTest'
Samantha Blancocd870772017-05-22 14:23:17 -040040- [P103] ``self.client`` must not be used as a client alias; this allows for
Felipe Monteirofdc45142018-07-18 20:54:20 +010041 code that is more maintainable and easier to read
Felipe Monteiro0854ded2017-05-05 16:30:55 +010042
Felipe Monteiro1c8620a2018-02-25 18:52:22 +000043Role Overriding
44---------------
Felipe Monteiro0854ded2017-05-05 16:30:55 +010045
Felipe Monteiro1c8620a2018-02-25 18:52:22 +000046Correct role overriding is vital to correct RBAC testing within Patrole. If a
47test does not call ``rbac_utils.override_role`` within the RBAC test, followed
48by the API endpoint that enforces the expected policy action, then the test is
49**not** a valid Patrole test: The API endpoint under test will be performed
50with admin role, which is always wrong unless ``CONF.patrole.rbac_test_role``
51is also admin.
Felipe Monteiro0854ded2017-05-05 16:30:55 +010052
Felipe Monteiro1c8620a2018-02-25 18:52:22 +000053.. todo::
Felipe Monteiro0854ded2017-05-05 16:30:55 +010054
Felipe Monteiro1c8620a2018-02-25 18:52:22 +000055 Patrole does not have a hacking check for role overriding, but one may be
56 added in the future.
Felipe Monteiro9ae705d2018-03-26 22:14:44 -040057
58Branchless Patrole Considerations
59---------------------------------
60
61Like Tempest, Patrole is branchless. This is to better ensure API and RBAC
62consistency between releases because API and RBAC behavior should not change
63between releases. This means that the stable branches are also gated by the
64Patrole master branch, which also means that proposed commits to Patrole must
65work against both the master and all the currently supported stable branches
66of the projects. As such there are a few special considerations that have to
67be accounted for when pushing new changes to Patrole.
68
691. New Tests for new features
70^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
71
72Patrole, like Tempest, *implicitly* tests new features because new policies
73oftentimes accompany new features. The same `Tempest philosophy`_ regarding
74feature flags and new features also applies to Patrole.
75
76.. _Tempest philosophy: https://docs.openstack.org/tempest/latest/HACKING.html#new-tests-for-new-features
77
782. New Tests for new policies
79^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
80
81When adding tests for new policies that were not in previous releases of the
82projects, the new test must be properly skipped with a feature flag. This
83involves using the ``testtools.skip(Unless|If)`` decorator above the test
84to check if the required policy is enabled. Similarly, a feature flag must
85be used whenever an OpenStack service covered by Patrole changes one of its
86policies in a backwards-incompatible way. If there isn't a method of selecting
87the new policy from the config file then there won't be a mechanism to disable
88the test with older stable releases and the new test won't be able to merge.
89
90Introduction of a new feature flag requires specifying a default value for the
91corresponding config option that is appropriate in the latest OpenStack
92release. Because Patrole is branchless, the feature flag's default value will
93need to be overridden to a value that is appropriate in earlier releases in
94which the feature isn't available. In DevStack, this can be accomplished by
95modifying Patrole's lib installation script for previous branches (because
96DevStack is branched).
97
983. Bug fix on core project needing Patrole changes
99^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
100
101When trying to land a bug fix which changes a tested API you'll have to use the
102following procedure:
103
104 #. Propose change to the project, get a +2 on the change even with the
105 test failing Patrole side.
106 #. Propose skip to the relevant Patrole test which will only be approved
107 after the corresponding change in the project has a +2.
108 #. Land project change in master and all open stable branches
109 (if required).
110 #. Land changed test in Patrole.
111
112Otherwise the bug fix won't be able to land in the project.
113
1144. New Tests for existing features or policies
115^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
116
117The same `Tempest logic`_ regarding new tests for existing features or
118policies also applies to Patrole.
119
120.. _Tempest logic: https://docs.openstack.org/tempest/latest/HACKING.html#new-tests-for-existing-features