Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 35da29123dfa041ea719a17f1cea3615c198eb8b / . / tests / test_rbac_role_converter.py
blob: f3a97ab1ff290ed94f874bd7662fa47ef350463e [file] [log] [blame]
DavidPurcellb25f93d2017-01-27 12:46:27 -0500[diff] [blame]1# Copyright 2017 AT&T Corporation.
2# All Rights Reserved.
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
Felipe Monteiro9c978502017-01-27 17:07:54 -0500[diff] [blame]16import mock
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]17import os
18
19from tempest import config
20from tempest.tests import base
21
22from patrole_tempest_plugin import rbac_role_converter
23
24CONF = config.CONF
25
26
27class RbacPolicyTest(base.TestCase):
28
29 def setUp(self):
30 super(RbacPolicyTest, self).setUp()
31
32 current_directory = os.path.dirname(os.path.realpath(__file__))
33 self.custom_policy_file = os.path.join(current_directory,
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame]34 'resources',
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]35 'custom_rbac_policy.json')
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame]36 self.admin_policy_file = os.path.join(current_directory,
37 'resources',
38 'admin_rbac_policy.json')
Felipe Monteiro9c978502017-01-27 17:07:54 -0500[diff] [blame]39 self.alt_admin_policy_file = os.path.join(current_directory,
40 'resources',
41 'alt_admin_rbac_policy.json')
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]42
Felipe Monteiro9c978502017-01-27 17:07:54 -0500[diff] [blame]43 @mock.patch.object(rbac_role_converter, 'LOG', autospec=True)
44 def test_custom_policy(self, m_log):
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]45 default_roles = ['zero', 'one', 'two', 'three', 'four',
46 'five', 'six', 'seven', 'eight', 'nine']
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]47
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame]48 converter = rbac_role_converter.RbacPolicyConverter(
49 None, "test", self.custom_policy_file)
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]50
51 expected = {
52 'policy_action_1': ['two', 'four', 'six', 'eight'],
53 'policy_action_2': ['one', 'three', 'five', 'seven', 'nine'],
54 'policy_action_3': ['zero'],
55 'policy_action_4': ['one', 'two', 'three', 'five', 'seven'],
56 'policy_action_5': ['zero', 'one', 'two', 'three', 'four', 'five',
57 'six', 'seven', 'eight', 'nine'],
58 'policy_action_6': ['eight'],
59 }
60
61 fake_rule = 'fake_rule'
62
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame]63 for role in default_roles:
Felipe Monteiro9c978502017-01-27 17:07:54 -0500[diff] [blame]64 self.assertFalse(converter.allowed(fake_rule, role))
65 m_log.debug.assert_called_once_with(
66 "{0} not found in policy file.".format('fake_rule'))
67 m_log.debug.reset_mock()
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]68
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame]69 for rule, role_list in expected.items():
70 for role in role_list:
71 self.assertTrue(converter.allowed(rule, role))
72 for role in set(default_roles) - set(role_list):
73 self.assertFalse(converter.allowed(rule, role))
74
75 def test_admin_policy_file_with_admin_role(self):
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame]76 converter = rbac_role_converter.RbacPolicyConverter(
77 None, "test", self.admin_policy_file)
78
79 role = 'admin'
80 allowed_rules = [
Felipe Monteiro9c978502017-01-27 17:07:54 -0500[diff] [blame]81 'admin_rule', 'is_admin_rule', 'alt_admin_rule'
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame]82 ]
Felipe Monteiro9c978502017-01-27 17:07:54 -0500[diff] [blame]83 disallowed_rules = ['non_admin_rule']
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame]84
85 for rule in allowed_rules:
86 allowed = converter.allowed(rule, role)
87 self.assertTrue(allowed)
88
89 for rule in disallowed_rules:
90 allowed = converter.allowed(rule, role)
91 self.assertFalse(allowed)
92
93 def test_admin_policy_file_with_member_role(self):
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame]94 converter = rbac_role_converter.RbacPolicyConverter(
95 None, "test", self.admin_policy_file)
96
97 role = 'Member'
98 allowed_rules = [
99 'non_admin_rule'
100 ]
101 disallowed_rules = [
102 'admin_rule', 'is_admin_rule', 'alt_admin_rule']
103
104 for rule in allowed_rules:
105 allowed = converter.allowed(rule, role)
106 self.assertTrue(allowed)
107
108 for rule in disallowed_rules:
109 allowed = converter.allowed(rule, role)
110 self.assertFalse(allowed)
Felipe Monteiro9c978502017-01-27 17:07:54 -0500[diff] [blame]111
112 def test_admin_policy_file_with_context_is_admin(self):
113 converter = rbac_role_converter.RbacPolicyConverter(
114 None, "test", self.alt_admin_policy_file)
115
116 role = 'fake_admin'
117 allowed_rules = ['non_admin_rule']
118 disallowed_rules = ['admin_rule']
119
120 for rule in allowed_rules:
121 allowed = converter.allowed(rule, role)
122 self.assertTrue(allowed)
123
124 for rule in disallowed_rules:
125 allowed = converter.allowed(rule, role)
126 self.assertFalse(allowed)
127
128 role = 'super_admin'
129 allowed_rules = ['admin_rule']
130 disallowed_rules = ['non_admin_rule']
131
132 for rule in allowed_rules:
133 allowed = converter.allowed(rule, role)
134 self.assertTrue(allowed)
135
136 for rule in disallowed_rules:
137 allowed = converter.allowed(rule, role)
138 self.assertFalse(allowed)