Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / b0595650c3e218a323290f44457520a92abf09a6 / . / tests / test_rbac_role_converter.py
blob: dadab88332960d66275a4d9f07a157c1e9402ed9 [file] [log] [blame]
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]1# Copyright 2017 AT&T Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15import os
16
17from tempest import config
18from tempest.tests import base
19
20from patrole_tempest_plugin import rbac_role_converter
21
22CONF = config.CONF
23
24
25class RbacPolicyTest(base.TestCase):
26
27 def setUp(self):
28 super(RbacPolicyTest, self).setUp()
29
30 current_directory = os.path.dirname(os.path.realpath(__file__))
31 self.custom_policy_file = os.path.join(current_directory,
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame^]32 'resources',
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]33 'custom_rbac_policy.json')
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame^]34 self.admin_policy_file = os.path.join(current_directory,
35 'resources',
36 'admin_rbac_policy.json')
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]37
38 def test_custom_policy(self):
39 default_roles = ['zero', 'one', 'two', 'three', 'four',
40 'five', 'six', 'seven', 'eight', 'nine']
41 CONF.set_override('rbac_roles', default_roles, group='rbac',
42 enforce_type=True)
43
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame^]44 converter = rbac_role_converter.RbacPolicyConverter(
45 None, "test", self.custom_policy_file)
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]46
47 expected = {
48 'policy_action_1': ['two', 'four', 'six', 'eight'],
49 'policy_action_2': ['one', 'three', 'five', 'seven', 'nine'],
50 'policy_action_3': ['zero'],
51 'policy_action_4': ['one', 'two', 'three', 'five', 'seven'],
52 'policy_action_5': ['zero', 'one', 'two', 'three', 'four', 'five',
53 'six', 'seven', 'eight', 'nine'],
54 'policy_action_6': ['eight'],
55 }
56
57 fake_rule = 'fake_rule'
58
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame^]59 for role in default_roles:
60 self.assertRaises(KeyError, converter.allowed, fake_rule, role)
DavidPurcell029d8c32017-01-06 15:27:41 -0500[diff] [blame]61
Felipe Monteirob0595652017-01-23 16:51:58 -0500[diff] [blame^]62 for rule, role_list in expected.items():
63 for role in role_list:
64 self.assertTrue(converter.allowed(rule, role))
65 for role in set(default_roles) - set(role_list):
66 self.assertFalse(converter.allowed(rule, role))
67
68 def test_admin_policy_file_with_admin_role(self):
69 default_roles = ['admin', 'Member']
70 CONF.set_override('rbac_roles', default_roles, group='rbac',
71 enforce_type=True)
72
73 converter = rbac_role_converter.RbacPolicyConverter(
74 None, "test", self.admin_policy_file)
75
76 role = 'admin'
77 allowed_rules = [
78 'admin_rule'
79 ]
80 disallowed_rules = [
81 'is_admin_rule', 'alt_admin_rule', 'non_admin_rule']
82
83 for rule in allowed_rules:
84 allowed = converter.allowed(rule, role)
85 self.assertTrue(allowed)
86
87 for rule in disallowed_rules:
88 allowed = converter.allowed(rule, role)
89 self.assertFalse(allowed)
90
91 def test_admin_policy_file_with_member_role(self):
92 default_roles = ['admin', 'Member']
93 CONF.set_override('rbac_roles', default_roles, group='rbac',
94 enforce_type=True)
95
96 converter = rbac_role_converter.RbacPolicyConverter(
97 None, "test", self.admin_policy_file)
98
99 role = 'Member'
100 allowed_rules = [
101 'non_admin_rule'
102 ]
103 disallowed_rules = [
104 'admin_rule', 'is_admin_rule', 'alt_admin_rule']
105
106 for rule in allowed_rules:
107 allowed = converter.allowed(rule, role)
108 self.assertTrue(allowed)
109
110 for rule in disallowed_rules:
111 allowed = converter.allowed(rule, role)
112 self.assertFalse(allowed)