DavidPurcell | b25f93d | 2017-01-27 12:46:27 -0500 | [diff] [blame] | 1 | # Copyright 2017 AT&T Corporation. |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 2 | # All Rights Reserved. |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 5 | # not use this file except in compliance with the License. You may obtain |
| 6 | # a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 13 | # License for the specific language governing permissions and limitations |
| 14 | # under the License. |
| 15 | |
Felipe Monteiro | 2fe986d | 2018-03-20 21:53:51 +0000 | [diff] [blame] | 16 | import functools |
Felipe Monteiro | b059565 | 2017-01-23 16:51:58 -0500 | [diff] [blame] | 17 | import logging |
Felipe Monteiro | 8eda8cc | 2017-03-22 14:15:14 +0000 | [diff] [blame] | 18 | import sys |
| 19 | |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 20 | from oslo_log import versionutils |
Felipe Monteiro | 38f344b | 2017-11-03 12:59:15 +0000 | [diff] [blame] | 21 | from oslo_utils import excutils |
Felipe Monteiro | 8eda8cc | 2017-03-22 14:15:14 +0000 | [diff] [blame] | 22 | import six |
Felipe Monteiro | b059565 | 2017-01-23 16:51:58 -0500 | [diff] [blame] | 23 | |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 24 | from tempest import config |
Felipe Monteiro | 51299a1 | 2018-06-28 20:03:27 -0400 | [diff] [blame] | 25 | from tempest.lib import exceptions as lib_exc |
raiesmh08 | 8590c0c | 2017-03-14 18:06:52 +0530 | [diff] [blame] | 26 | from tempest import test |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 27 | |
Felipe Monteiro | 88a5bab | 2017-08-31 04:00:32 +0100 | [diff] [blame] | 28 | from patrole_tempest_plugin import policy_authority |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 29 | from patrole_tempest_plugin import rbac_exceptions |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 30 | from patrole_tempest_plugin import requirements_authority |
Doug Schveninger | 89d9ff8 | 2020-08-17 05:59:35 -0500 | [diff] [blame] | 31 | import testtools |
| 32 | |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 33 | |
| 34 | CONF = config.CONF |
| 35 | LOG = logging.getLogger(__name__) |
| 36 | |
Felipe Monteiro | 973a1bc | 2017-06-14 21:23:54 +0100 | [diff] [blame] | 37 | _SUPPORTED_ERROR_CODES = [403, 404] |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 38 | _DEFAULT_ERROR_CODE = 403 |
Felipe Monteiro | 973a1bc | 2017-06-14 21:23:54 +0100 | [diff] [blame] | 39 | |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 40 | RBACLOG = logging.getLogger('rbac_reporting') |
| 41 | |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 42 | |
Chi Lo | 8c04bd8 | 2018-06-01 16:21:50 -0500 | [diff] [blame] | 43 | def action(service, |
Chi Lo | 8c04bd8 | 2018-06-01 16:21:50 -0500 | [diff] [blame] | 44 | rules=None, |
Chi Lo | 8c04bd8 | 2018-06-01 16:21:50 -0500 | [diff] [blame] | 45 | expected_error_codes=None, |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 46 | extra_target_data=None): |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 47 | """A decorator for verifying OpenStack policy enforcement. |
Felipe Monteiro | d5d76b8 | 2017-03-20 23:18:50 +0000 | [diff] [blame] | 48 | |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 49 | A decorator which allows for positive and negative RBAC testing. Given: |
Rick Bartra | ed95005 | 2017-06-29 17:20:33 -0400 | [diff] [blame] | 50 | |
Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 51 | * an OpenStack service, |
| 52 | * a policy action (``rule``) enforced by that service, and |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 53 | * the test roles defined by ``[patrole] rbac_test_roles`` |
Felipe Monteiro | d5d76b8 | 2017-03-20 23:18:50 +0000 | [diff] [blame] | 54 | |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 55 | determines whether the test role has sufficient permissions to perform an |
| 56 | API call that enforces the ``rule``. |
Felipe Monteiro | d5d76b8 | 2017-03-20 23:18:50 +0000 | [diff] [blame] | 57 | |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 58 | This decorator should only be applied to an instance or subclass of |
Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 59 | ``tempest.test.BaseTestCase``. |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 60 | |
| 61 | The result from ``_is_authorized`` is used to determine the *expected* |
| 62 | test result. The *actual* test result is determined by running the |
| 63 | Tempest test this decorator applies to. |
| 64 | |
| 65 | Below are the following possibilities from comparing the *expected* and |
| 66 | *actual* results: |
| 67 | |
| 68 | 1) If *expected* is True and the test passes (*actual*), this is a success. |
| 69 | 2) If *expected* is True and the test fails (*actual*), this results in a |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 70 | ``RbacUnderPermissionException`` exception failure. |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 71 | 3) If *expected* is False and the test passes (*actual*), this results in |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 72 | an ``RbacOverPermissionException`` exception failure. |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 73 | 4) If *expected* is False and the test fails (*actual*), this is a success. |
| 74 | |
| 75 | As such, negative and positive testing can be applied using this decorator. |
| 76 | |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 77 | :param str service: An OpenStack service. Examples: "nova" or "neutron". |
Felipe Monteiro | 59f538f | 2018-08-22 23:34:40 -0400 | [diff] [blame] | 78 | :param list rules: A list of policy actions defined in a policy file or in |
| 79 | code. The rules are logical-ANDed together to derive the expected |
Chi Lo | 8c04bd8 | 2018-06-01 16:21:50 -0500 | [diff] [blame] | 80 | result. Also accepts list of callables that return a policy action. |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 81 | |
| 82 | .. note:: |
| 83 | |
| 84 | Patrole currently only supports custom JSON policy files. |
| 85 | |
Chi Lo | 8c04bd8 | 2018-06-01 16:21:50 -0500 | [diff] [blame] | 86 | :type rules: list[str] or list[callable] |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 87 | :param list expected_error_codes: When the ``rules`` list parameter is |
| 88 | used, then this list indicates the expected error code to use if one |
| 89 | of the rules does not allow the role being tested. This list must |
| 90 | coincide with and its elements remain in the same order as the rules |
| 91 | in the rules list. |
| 92 | |
| 93 | Example:: |
Felipe Monteiro | 318fa3b | 2018-06-19 16:53:33 -0400 | [diff] [blame] | 94 | |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 95 | rules=["api_action1", "api_action2"] |
| 96 | expected_error_codes=[404, 403] |
| 97 | |
| 98 | a) If api_action1 fails and api_action2 passes, then the expected |
| 99 | error code is 404. |
| 100 | b) if api_action2 fails and api_action1 passes, then the expected |
| 101 | error code is 403. |
| 102 | c) if both api_action1 and api_action2 fail, then the expected error |
| 103 | code is the first error seen (404). |
| 104 | |
ghanshyam | 98437d4 | 2018-08-17 08:51:43 +0000 | [diff] [blame] | 105 | If it is not passed, then it is defaulted to 403. |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 106 | |
Felipe Monteiro | 59f538f | 2018-08-22 23:34:40 -0400 | [diff] [blame] | 107 | .. warning:: |
| 108 | |
| 109 | A 404 should not be provided *unless* the endpoint masks a |
| 110 | ``Forbidden`` exception as a ``NotFound`` exception. |
| 111 | |
| 112 | :type expected_error_codes: list[int] |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 113 | :param dict extra_target_data: Dictionary, keyed with ``oslo.policy`` |
| 114 | generic check names, whose values are string literals that reference |
| 115 | nested ``tempest.test.BaseTestCase`` attributes. Used by |
| 116 | ``oslo.policy`` for performing matching against attributes that are |
| 117 | sent along with the API calls. Example:: |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 118 | |
| 119 | extra_target_data={ |
| 120 | "target.token.user_id": |
| 121 | "os_alt.auth_provider.credentials.user_id" |
| 122 | }) |
| 123 | |
Felipe Monteiro | 51299a1 | 2018-06-28 20:03:27 -0400 | [diff] [blame] | 124 | :raises RbacInvalidServiceException: If ``service`` is invalid. |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 125 | :raises RbacUnderPermissionException: For item (2) above. |
| 126 | :raises RbacOverPermissionException: For item (3) above. |
| 127 | :raises RbacExpectedWrongException: When a 403 is expected but a 404 |
| 128 | is raised instead or vice versa. |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 129 | |
| 130 | Examples:: |
| 131 | |
| 132 | @rbac_rule_validation.action( |
Felipe Monteiro | 59f538f | 2018-08-22 23:34:40 -0400 | [diff] [blame] | 133 | service="nova", |
| 134 | rules=["os_compute_api:os-agents"]) |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 135 | def test_list_agents_rbac(self): |
Felipe Monteiro | 1c8620a | 2018-02-25 18:52:22 +0000 | [diff] [blame] | 136 | # The call to `override_role` is mandatory. |
Sergey Vilgelm | d3d77ef | 2019-02-02 09:34:52 -0600 | [diff] [blame] | 137 | with self.override_role(): |
Felipe Monteiro | 1c8620a | 2018-02-25 18:52:22 +0000 | [diff] [blame] | 138 | self.agents_client.list_agents() |
Felipe Monteiro | d5d76b8 | 2017-03-20 23:18:50 +0000 | [diff] [blame] | 139 | """ |
Felipe Monteiro | 0854ded | 2017-05-05 16:30:55 +0100 | [diff] [blame] | 140 | |
| 141 | if extra_target_data is None: |
| 142 | extra_target_data = {} |
| 143 | |
Felipe Monteiro | 59f538f | 2018-08-22 23:34:40 -0400 | [diff] [blame] | 144 | rules, expected_error_codes = _prepare_multi_policy(rules, |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 145 | expected_error_codes) |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 146 | |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 147 | def decorator(test_func): |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 148 | roles = CONF.patrole.rbac_test_roles |
| 149 | # TODO(vegasq) drop once CONF.patrole.rbac_test_role is removed |
| 150 | if CONF.patrole.rbac_test_role: |
| 151 | msg = ('CONF.patrole.rbac_test_role is deprecated in favor of ' |
| 152 | 'CONF.patrole.rbac_test_roles and will be removed in ' |
| 153 | 'future.') |
| 154 | versionutils.report_deprecated_feature(LOG, msg) |
| 155 | if not roles: |
| 156 | roles.append(CONF.patrole.rbac_test_role) |
Felipe Monteiro | 78fc489 | 2017-04-12 21:33:39 +0100 | [diff] [blame] | 157 | |
Felipe Monteiro | 2fe986d | 2018-03-20 21:53:51 +0000 | [diff] [blame] | 158 | @functools.wraps(test_func) |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 159 | def wrapper(*args, **kwargs): |
Felipe Monteiro | 78fc489 | 2017-04-12 21:33:39 +0100 | [diff] [blame] | 160 | if args and isinstance(args[0], test.BaseTestCase): |
| 161 | test_obj = args[0] |
| 162 | else: |
| 163 | raise rbac_exceptions.RbacResourceSetupFailed( |
| 164 | '`rbac_rule_validation` decorator can only be applied to ' |
| 165 | 'an instance of `tempest.test.BaseTestCase`.') |
raiesmh08 | 8590c0c | 2017-03-14 18:06:52 +0530 | [diff] [blame] | 166 | |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 167 | allowed = True |
| 168 | disallowed_rules = [] |
| 169 | for rule in rules: |
| 170 | _allowed = _is_authorized( |
| 171 | test_obj, service, rule, extra_target_data) |
| 172 | if not _allowed: |
| 173 | disallowed_rules.append(rule) |
| 174 | allowed = allowed and _allowed |
Felipe Monteiro | d5d76b8 | 2017-03-20 23:18:50 +0000 | [diff] [blame] | 175 | |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 176 | if disallowed_rules: |
| 177 | # Choose the first disallowed rule and expect the error |
| 178 | # code corresponding to it. |
| 179 | first_error_index = rules.index(disallowed_rules[0]) |
| 180 | exp_error_code = expected_error_codes[first_error_index] |
| 181 | LOG.debug("%s: Expecting %d to be raised for policy name: %s", |
| 182 | test_func.__name__, exp_error_code, |
| 183 | disallowed_rules[0]) |
Felipe Monteiro | 59f538f | 2018-08-22 23:34:40 -0400 | [diff] [blame] | 184 | else: |
| 185 | exp_error_code = expected_error_codes[0] |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 186 | |
Rick Bartra | 1299894 | 2017-03-17 17:35:45 -0400 | [diff] [blame] | 187 | expected_exception, irregular_msg = _get_exception_type( |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 188 | exp_error_code) |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 189 | |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 190 | caught_exception = None |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 191 | test_status = 'Allowed' |
| 192 | |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 193 | try: |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 194 | test_func(*args, **kwargs) |
Felipe Monteiro | 51299a1 | 2018-06-28 20:03:27 -0400 | [diff] [blame] | 195 | except rbac_exceptions.RbacInvalidServiceException: |
| 196 | with excutils.save_and_reraise_exception(): |
| 197 | msg = ("%s is not a valid service." % service) |
| 198 | # FIXME(felipemonteiro): This test_status is logged too |
| 199 | # late. Need a function to log it before re-raising. |
| 200 | test_status = ('Error, %s' % (msg)) |
| 201 | LOG.error(msg) |
Samantha Blanco | 36bea05 | 2017-07-19 12:01:59 -0400 | [diff] [blame] | 202 | except (expected_exception, |
Felipe Monteiro | 74f8e7d | 2018-09-30 12:33:49 -0400 | [diff] [blame] | 203 | rbac_exceptions.BasePatroleResponseBodyException) \ |
| 204 | as actual_exception: |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 205 | caught_exception = actual_exception |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 206 | test_status = 'Denied' |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 207 | |
Felipe Monteiro | 8eda8cc | 2017-03-22 14:15:14 +0000 | [diff] [blame] | 208 | if irregular_msg: |
Felipe Monteiro | c0cb7eb | 2018-06-19 19:50:36 -0400 | [diff] [blame] | 209 | LOG.warning(irregular_msg, |
| 210 | test_func.__name__, |
| 211 | ', '.join(rules), |
| 212 | service) |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 213 | |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 214 | if allowed: |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 215 | msg = ("User with roles %s was not allowed to perform the " |
| 216 | "following actions: %s. Expected allowed actions: " |
| 217 | "%s. Expected disallowed actions: %s." % ( |
| 218 | roles, sorted(rules), |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 219 | sorted(set(rules) - set(disallowed_rules)), |
| 220 | sorted(disallowed_rules))) |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 221 | LOG.error(msg) |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 222 | raise rbac_exceptions.RbacUnderPermissionException( |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 223 | "%s Exception was: %s" % (msg, actual_exception)) |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 224 | except Exception as actual_exception: |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 225 | caught_exception = actual_exception |
| 226 | |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 227 | if _check_for_expected_mismatch_exception(expected_exception, |
| 228 | actual_exception): |
| 229 | LOG.error('Expected and actual exceptions do not match. ' |
| 230 | 'Expected: %s. Actual: %s.', |
| 231 | expected_exception, |
| 232 | actual_exception.__class__) |
| 233 | raise rbac_exceptions.RbacExpectedWrongException( |
| 234 | expected=expected_exception, |
| 235 | actual=actual_exception.__class__, |
| 236 | exception=actual_exception) |
| 237 | else: |
| 238 | with excutils.save_and_reraise_exception(): |
| 239 | exc_info = sys.exc_info() |
| 240 | error_details = six.text_type(exc_info[1]) |
| 241 | msg = ("An unexpected exception has occurred during " |
| 242 | "test: %s. Exception was: %s" % ( |
| 243 | test_func.__name__, error_details)) |
| 244 | test_status = 'Error, %s' % (error_details) |
| 245 | LOG.error(msg) |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 246 | else: |
| 247 | if not allowed: |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 248 | msg = ( |
| 249 | "OverPermission: Role %s was allowed to perform the " |
| 250 | "following disallowed actions: %s" % ( |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 251 | roles, sorted(disallowed_rules) |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 252 | ) |
| 253 | ) |
| 254 | LOG.error(msg) |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 255 | raise rbac_exceptions.RbacOverPermissionException(msg) |
raiesmh08 | 8590c0c | 2017-03-14 18:06:52 +0530 | [diff] [blame] | 256 | finally: |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 257 | if CONF.patrole_log.enable_reporting: |
| 258 | RBACLOG.info( |
Felipe Monteiro | c0cb7eb | 2018-06-19 19:50:36 -0400 | [diff] [blame] | 259 | "[Service]: %s, [Test]: %s, [Rules]: %s, " |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 260 | "[Expected]: %s, [Actual]: %s", |
Felipe Monteiro | c0cb7eb | 2018-06-19 19:50:36 -0400 | [diff] [blame] | 261 | service, test_func.__name__, ', '.join(rules), |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 262 | "Allowed" if allowed else "Denied", |
| 263 | test_status) |
Felipe Monteiro | 78fc489 | 2017-04-12 21:33:39 +0100 | [diff] [blame] | 264 | |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 265 | # Sanity-check that ``override_role`` was called to eliminate |
| 266 | # false-positives and bad test flows resulting from exceptions |
| 267 | # getting raised too early, too late or not at all, within |
| 268 | # the scope of an RBAC test. |
| 269 | _validate_override_role_called( |
| 270 | test_obj, |
| 271 | actual_exception=caught_exception) |
| 272 | |
Felipe Monteiro | 2fe986d | 2018-03-20 21:53:51 +0000 | [diff] [blame] | 273 | return wrapper |
DavidPurcell | 029d8c3 | 2017-01-06 15:27:41 -0500 | [diff] [blame] | 274 | return decorator |
Rick Bartra | 1299894 | 2017-03-17 17:35:45 -0400 | [diff] [blame] | 275 | |
| 276 | |
Felipe Monteiro | 59f538f | 2018-08-22 23:34:40 -0400 | [diff] [blame] | 277 | def _prepare_multi_policy(rules, exp_error_codes): |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 278 | if exp_error_codes: |
| 279 | if not rules: |
| 280 | msg = ("The `rules` list must be provided if using the " |
| 281 | "`expected_error_codes` list.") |
| 282 | raise ValueError(msg) |
| 283 | if len(rules) != len(exp_error_codes): |
| 284 | msg = ("The `expected_error_codes` list is not the same length " |
| 285 | "as the `rules` list.") |
| 286 | raise ValueError(msg) |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 287 | if not isinstance(exp_error_codes, (tuple, list)): |
| 288 | exp_error_codes = [exp_error_codes] |
| 289 | else: |
| 290 | exp_error_codes = [] |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 291 | |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 292 | if rules is None: |
| 293 | rules = [] |
| 294 | elif not isinstance(rules, (tuple, list)): |
| 295 | rules = [rules] |
Cliff Parsons | 35a7711 | 2018-05-07 14:03:40 -0500 | [diff] [blame] | 296 | |
| 297 | # Fill in the exp_error_codes if needed. This is needed for the scenarios |
| 298 | # where no exp_error_codes array is provided, so the error codes must be |
| 299 | # set to the default error code value and there must be the same number |
| 300 | # of error codes as rules. |
| 301 | num_ecs = len(exp_error_codes) |
| 302 | num_rules = len(rules) |
| 303 | if (num_ecs < num_rules): |
| 304 | for i in range(num_rules - num_ecs): |
| 305 | exp_error_codes.append(_DEFAULT_ERROR_CODE) |
| 306 | |
Chi Lo | 8c04bd8 | 2018-06-01 16:21:50 -0500 | [diff] [blame] | 307 | evaluated_rules = [ |
| 308 | r() if callable(r) else r for r in rules |
| 309 | ] |
| 310 | |
| 311 | return evaluated_rules, exp_error_codes |
Felipe Monteiro | 44d7784 | 2018-03-21 02:42:59 +0000 | [diff] [blame] | 312 | |
| 313 | |
Felipe Monteiro | 318a0bf | 2018-02-27 06:57:10 -0500 | [diff] [blame] | 314 | def _is_authorized(test_obj, service, rule, extra_target_data): |
Felipe Monteiro | dea1384 | 2017-07-05 04:11:18 +0100 | [diff] [blame] | 315 | """Validates whether current RBAC role has permission to do policy action. |
| 316 | |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 317 | :param test_obj: An instance or subclass of ``tempest.test.BaseTestCase``. |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 318 | :param service: The OpenStack service that enforces ``rule``. |
| 319 | :param rule: The name of the policy action. Examples include |
| 320 | "identity:create_user" or "os_compute_api:os-agents". |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 321 | :param extra_target_data: Dictionary, keyed with ``oslo.policy`` generic |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 322 | check names, whose values are string literals that reference nested |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 323 | ``tempest.test.BaseTestCase`` attributes. Used by ``oslo.policy`` for |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 324 | performing matching against attributes that are sent along with the API |
| 325 | calls. |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 326 | |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 327 | :returns: True if the current RBAC role can perform the policy action, |
| 328 | else False. |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 329 | |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 330 | :raises RbacResourceSetupFailed: If `project_id` or `user_id` are missing |
| 331 | from the `auth_provider` attribute in `test_obj`. |
Felipe Monteiro | dea1384 | 2017-07-05 04:11:18 +0100 | [diff] [blame] | 332 | """ |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 333 | |
Felipe Monteiro | 78fc489 | 2017-04-12 21:33:39 +0100 | [diff] [blame] | 334 | try: |
Felipe Monteiro | e8d93e0 | 2017-07-19 20:52:20 +0100 | [diff] [blame] | 335 | project_id = test_obj.os_primary.credentials.project_id |
| 336 | user_id = test_obj.os_primary.credentials.user_id |
Felipe Monteiro | 78fc489 | 2017-04-12 21:33:39 +0100 | [diff] [blame] | 337 | except AttributeError as e: |
Felipe Monteiro | e8d93e0 | 2017-07-19 20:52:20 +0100 | [diff] [blame] | 338 | msg = ("{0}: project_id or user_id not found in os_primary.credentials" |
| 339 | .format(e)) |
Felipe Monteiro | 78fc489 | 2017-04-12 21:33:39 +0100 | [diff] [blame] | 340 | LOG.error(msg) |
| 341 | raise rbac_exceptions.RbacResourceSetupFailed(msg) |
| 342 | |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 343 | roles = CONF.patrole.rbac_test_roles |
| 344 | # TODO(vegasq) drop once CONF.patrole.rbac_test_role is removed |
| 345 | if CONF.patrole.rbac_test_role: |
| 346 | if not roles: |
| 347 | roles.append(CONF.patrole.rbac_test_role) |
| 348 | |
Sergey Vilgelm | 19e3bec | 2019-01-07 11:59:41 -0600 | [diff] [blame] | 349 | # Adding implied roles |
Sergey Vilgelm | ace8ea3 | 2018-11-19 16:25:10 -0600 | [diff] [blame] | 350 | roles = test_obj.get_all_needed_roles(roles) |
Sergey Vilgelm | 19e3bec | 2019-01-07 11:59:41 -0600 | [diff] [blame] | 351 | |
Felipe Monteiro | 4ef7e53 | 2018-03-11 07:17:11 -0400 | [diff] [blame] | 352 | # Test RBAC against custom requirements. Otherwise use oslo.policy. |
| 353 | if CONF.patrole.test_custom_requirements: |
| 354 | authority = requirements_authority.RequirementsAuthority( |
| 355 | CONF.patrole.custom_requirements_file, service) |
| 356 | else: |
| 357 | formatted_target_data = _format_extra_target_data( |
| 358 | test_obj, extra_target_data) |
| 359 | authority = policy_authority.PolicyAuthority( |
| 360 | project_id, user_id, service, |
| 361 | extra_target_data=formatted_target_data) |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 362 | is_allowed = authority.allowed(rule, roles) |
Felipe Monteiro | 78fc489 | 2017-04-12 21:33:39 +0100 | [diff] [blame] | 363 | |
Felipe Monteiro | 4ef7e53 | 2018-03-11 07:17:11 -0400 | [diff] [blame] | 364 | if is_allowed: |
Felipe Monteiro | c0cb7eb | 2018-06-19 19:50:36 -0400 | [diff] [blame] | 365 | LOG.debug("[Policy action]: %s, [Role]: %s is allowed!", rule, |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 366 | roles) |
Felipe Monteiro | 4ef7e53 | 2018-03-11 07:17:11 -0400 | [diff] [blame] | 367 | else: |
Felipe Monteiro | c0cb7eb | 2018-06-19 19:50:36 -0400 | [diff] [blame] | 368 | LOG.debug("[Policy action]: %s, [Role]: %s is NOT allowed!", |
Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 369 | rule, roles) |
Felipe Monteiro | 4ef7e53 | 2018-03-11 07:17:11 -0400 | [diff] [blame] | 370 | |
| 371 | return is_allowed |
Felipe Monteiro | 78fc489 | 2017-04-12 21:33:39 +0100 | [diff] [blame] | 372 | |
| 373 | |
Felipe Monteiro | c0cb7eb | 2018-06-19 19:50:36 -0400 | [diff] [blame] | 374 | def _get_exception_type(expected_error_code=_DEFAULT_ERROR_CODE): |
Felipe Monteiro | 973a1bc | 2017-06-14 21:23:54 +0100 | [diff] [blame] | 375 | """Dynamically calculate the expected exception to be caught. |
| 376 | |
| 377 | Dynamically calculate the expected exception to be caught by the test case. |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 378 | Only ``Forbidden`` and ``NotFound`` exceptions are permitted. ``NotFound`` |
| 379 | is supported because Neutron, for security reasons, masks ``Forbidden`` |
| 380 | exceptions as ``NotFound`` exceptions. |
Felipe Monteiro | 973a1bc | 2017-06-14 21:23:54 +0100 | [diff] [blame] | 381 | |
| 382 | :param expected_error_code: the integer representation of the expected |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 383 | exception to be caught. Must be contained in |
| 384 | ``_SUPPORTED_ERROR_CODES``. |
Felipe Monteiro | 973a1bc | 2017-06-14 21:23:54 +0100 | [diff] [blame] | 385 | :returns: tuple of the exception type corresponding to |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 386 | ``expected_error_code`` and a message explaining that a non-Forbidden |
Felipe Monteiro | 973a1bc | 2017-06-14 21:23:54 +0100 | [diff] [blame] | 387 | exception was expected, if applicable. |
| 388 | """ |
Rick Bartra | 1299894 | 2017-03-17 17:35:45 -0400 | [diff] [blame] | 389 | expected_exception = None |
| 390 | irregular_msg = None |
Felipe Monteiro | 973a1bc | 2017-06-14 21:23:54 +0100 | [diff] [blame] | 391 | |
| 392 | if not isinstance(expected_error_code, six.integer_types) \ |
Sean Pryor | 7f8993f | 2017-08-14 12:53:17 -0400 | [diff] [blame] | 393 | or expected_error_code not in _SUPPORTED_ERROR_CODES: |
Felipe Monteiro | 973a1bc | 2017-06-14 21:23:54 +0100 | [diff] [blame] | 394 | msg = ("Please pass an expected error code. Currently " |
| 395 | "supported codes: {0}".format(_SUPPORTED_ERROR_CODES)) |
| 396 | LOG.error(msg) |
| 397 | raise rbac_exceptions.RbacInvalidErrorCode(msg) |
Felipe Monteiro | 78fc489 | 2017-04-12 21:33:39 +0100 | [diff] [blame] | 398 | |
Rick Bartra | 1299894 | 2017-03-17 17:35:45 -0400 | [diff] [blame] | 399 | if expected_error_code == 403: |
Felipe Monteiro | 51299a1 | 2018-06-28 20:03:27 -0400 | [diff] [blame] | 400 | expected_exception = lib_exc.Forbidden |
Rick Bartra | 1299894 | 2017-03-17 17:35:45 -0400 | [diff] [blame] | 401 | elif expected_error_code == 404: |
Felipe Monteiro | 51299a1 | 2018-06-28 20:03:27 -0400 | [diff] [blame] | 402 | expected_exception = lib_exc.NotFound |
Felipe Monteiro | c0cb7eb | 2018-06-19 19:50:36 -0400 | [diff] [blame] | 403 | irregular_msg = ("NotFound exception was caught for test %s. Expected " |
| 404 | "policies which may have caused the error: %s. The " |
| 405 | "service %s throws a 404 instead of a 403, which is " |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 406 | "irregular") |
Rick Bartra | 1299894 | 2017-03-17 17:35:45 -0400 | [diff] [blame] | 407 | return expected_exception, irregular_msg |
Felipe Monteiro | fd1db98 | 2017-04-13 21:19:41 +0100 | [diff] [blame] | 408 | |
| 409 | |
| 410 | def _format_extra_target_data(test_obj, extra_target_data): |
| 411 | """Formats the "extra_target_data" dictionary with correct test data. |
| 412 | |
| 413 | Before being formatted, "extra_target_data" is a dictionary that maps a |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 414 | policy string like "trust.trustor_user_id" to a nested list of |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 415 | ``tempest.test.BaseTestCase`` attributes. For example, the attribute list |
Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 416 | in:: |
Felipe Monteiro | fd1db98 | 2017-04-13 21:19:41 +0100 | [diff] [blame] | 417 | |
Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 418 | "trust.trustor_user_id": "os.auth_provider.credentials.user_id" |
Felipe Monteiro | fd1db98 | 2017-04-13 21:19:41 +0100 | [diff] [blame] | 419 | |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 420 | is parsed by iteratively calling ``getattr`` until the value of "user_id" |
Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 421 | is resolved. The resulting dictionary returns:: |
Felipe Monteiro | fd1db98 | 2017-04-13 21:19:41 +0100 | [diff] [blame] | 422 | |
Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 423 | "trust.trustor_user_id": "the user_id of the `os_primary` credential" |
Felipe Monteiro | fd1db98 | 2017-04-13 21:19:41 +0100 | [diff] [blame] | 424 | |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 425 | :param test_obj: An instance or subclass of ``tempest.test.BaseTestCase``. |
| 426 | :param extra_target_data: Dictionary, keyed with ``oslo.policy`` generic |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 427 | check names, whose values are string literals that reference nested |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 428 | ``tempest.test.BaseTestCase`` attributes. Used by ``oslo.policy`` for |
Felipe Monteiro | 01d633b | 2017-08-16 20:17:26 +0100 | [diff] [blame] | 429 | performing matching against attributes that are sent along with the API |
| 430 | calls. |
| 431 | :returns: Dictionary containing additional object data needed by |
Felipe Monteiro | f2b58d7 | 2017-08-31 22:40:36 +0100 | [diff] [blame] | 432 | ``oslo.policy`` to validate generic checks. |
Felipe Monteiro | fd1db98 | 2017-04-13 21:19:41 +0100 | [diff] [blame] | 433 | """ |
| 434 | attr_value = test_obj |
| 435 | formatted_target_data = {} |
| 436 | |
| 437 | for user_attribute, attr_string in extra_target_data.items(): |
| 438 | attrs = attr_string.split('.') |
| 439 | for attr in attrs: |
| 440 | attr_value = getattr(attr_value, attr) |
| 441 | formatted_target_data[user_attribute] = attr_value |
| 442 | |
| 443 | return formatted_target_data |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 444 | |
| 445 | |
| 446 | def _check_for_expected_mismatch_exception(expected_exception, |
| 447 | actual_exception): |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 448 | """Checks that ``expected_exception`` matches ``actual_exception``. |
| 449 | |
| 450 | Since Patrole must handle 403/404 it is important that the expected and |
| 451 | actual error codes match. |
| 452 | |
| 453 | :param excepted_exception: Expected exception for test. |
| 454 | :param actual_exception: Actual exception raised by test. |
| 455 | :returns: True if match, else False. |
| 456 | :rtype: boolean |
| 457 | """ |
Felipe Monteiro | 51299a1 | 2018-06-28 20:03:27 -0400 | [diff] [blame] | 458 | permission_exceptions = (lib_exc.Forbidden, lib_exc.NotFound) |
Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 459 | if isinstance(actual_exception, permission_exceptions): |
| 460 | if not isinstance(actual_exception, expected_exception.__class__): |
| 461 | return True |
| 462 | return False |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 463 | |
| 464 | |
| 465 | def _validate_override_role_called(test_obj, actual_exception): |
Sergey Vilgelm | 78e7f57 | 2019-02-03 10:35:01 -0600 | [diff] [blame] | 466 | """Validates that :func:`rbac_utils.RbacUtilsMixin.override_role` is called |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 467 | during each Patrole test. |
| 468 | |
| 469 | Useful for validating that the expected exception isn't raised too early |
| 470 | (before ``override_role`` call) or too late (after ``override_call``) or |
| 471 | at all (which is a bad test). |
| 472 | |
| 473 | :param test_obj: An instance or subclass of ``tempest.test.BaseTestCase``. |
| 474 | :param actual_exception: Actual exception raised by test. |
| 475 | :raises RbacOverrideRoleException: If ``override_role`` isn't called, is |
| 476 | called too early, or is called too late. |
| 477 | """ |
| 478 | called = test_obj._validate_override_role_called() |
| 479 | base_msg = ('This error is unrelated to RBAC and is due to either ' |
| 480 | 'an API or override role failure. Exception: %s' % |
| 481 | actual_exception) |
| 482 | |
| 483 | if not called: |
| 484 | if actual_exception is not None: |
Doug Schveninger | 89d9ff8 | 2020-08-17 05:59:35 -0500 | [diff] [blame] | 485 | # Use testtools skipException in base TestCase |
| 486 | # to support different skip exceptions used. |
| 487 | # Just return so the skip exception will go up |
| 488 | # the stack and be handled by the unit testing framework |
| 489 | if isinstance(actual_exception, |
| 490 | testtools.testcase.TestCase.skipException): |
| 491 | return |
Mykola Yakovliev | 11376ab | 2018-08-06 15:34:22 -0500 | [diff] [blame] | 492 | msg = ('Caught exception (%s) but it was raised before the ' |
| 493 | '`override_role` context. ' % actual_exception.__class__) |
| 494 | else: |
| 495 | msg = 'Test missing required `override_role` call. ' |
| 496 | msg += base_msg |
| 497 | LOG.error(msg) |
| 498 | raise rbac_exceptions.RbacOverrideRoleException(msg) |
| 499 | else: |
| 500 | exc_caught_in_ctx = test_obj._validate_override_role_caught_exc() |
| 501 | # This block is only executed if ``override_role`` is called. If |
| 502 | # an exception is raised and the exception wasn't raised in the |
| 503 | # ``override_role`` context and if the exception isn't a valid |
| 504 | # exception type (instance of ``BasePatroleException``), then this is |
| 505 | # a legitimate error. |
| 506 | if (not exc_caught_in_ctx and |
| 507 | actual_exception is not None and |
| 508 | not isinstance(actual_exception, |
| 509 | rbac_exceptions.BasePatroleException)): |
| 510 | msg = ('Caught exception (%s) but it was raised after the ' |
| 511 | '`override_role` context. ' % actual_exception.__class__) |
| 512 | msg += base_msg |
| 513 | LOG.error(msg) |
| 514 | raise rbac_exceptions.RbacOverrideRoleException(msg) |