patrole_tempest_plugin/rbac_rule_validation.py

# Copyright 2017 AT&T Corp
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

import logging

from tempest import config
from tempest.lib import exceptions

from patrole_tempest_plugin import rbac_auth
from patrole_tempest_plugin import rbac_exceptions

CONF = config.CONF
LOG = logging.getLogger(__name__)


def action(component, service, rule):
    def decorator(func):
        def wrapper(*args, **kwargs):
            authority = rbac_auth.RbacAuthority(component, service)
            allowed = authority.get_permission(rule, CONF.rbac.rbac_test_role)

            try:
                func(*args)
            except exceptions.Forbidden as e:
                if allowed:
                    msg = ("Role %s was not allowed to perform %s." %
                           (CONF.rbac.rbac_test_role, rule))
                    LOG.error(msg)
                    raise exceptions.Forbidden(
                        "%s exception was: %s" %
                        (msg, e))
            except rbac_exceptions.RbacActionFailed as e:
                if allowed:
                    msg = ("Role %s was not allowed to perform %s." %
                           (CONF.rbac.rbac_test_role, rule))
                    LOG.error(msg)
                    raise exceptions.Forbidden(
                        "%s RbacActionFailed was: %s" %
                        (msg, e))
            else:
                if not allowed:
                    LOG.error("Role %s was allowed to perform %s" %
                              (CONF.rbac.rbac_test_role, rule))
                    raise rbac_exceptions.RbacOverPermission(
                        "OverPermission: Role %s was allowed to perform %s" %
                        (CONF.rbac.rbac_test_role, rule))
        return wrapper
    return decorator