Blame - tests/test_rbac_role_converter.py - packaging/sources/patrole

blob: 04eb626895cae64f32dc721dfd832f35bbd32d82 [file] [log] [blame]

DavidPurcell	b25f93d	2017-01-27 12:46:27 -0500	[diff] [blame]	1	# Copyright 2017 AT&T Corporation.
				2	# All Rights Reserved.
DavidPurcell	029d8c3	2017-01-06 15:27:41 -0500	[diff] [blame]	3	#
				4	# Licensed under the Apache License, Version 2.0 (the "License"); you may
				5	# not use this file except in compliance with the License. You may obtain
				6	# a copy of the License at
				7	#
				8	# http://www.apache.org/licenses/LICENSE-2.0
				9	#
				10	# Unless required by applicable law or agreed to in writing, software
				11	# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
				12	# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
				13	# License for the specific language governing permissions and limitations
				14	# under the License.
				15
				16	import os
				17
				18	from tempest import config
				19	from tempest.tests import base
				20
				21	from patrole_tempest_plugin import rbac_role_converter
				22
				23	CONF = config.CONF
				24
				25
				26	class RbacPolicyTest(base.TestCase):
				27
				28	def setUp(self):
				29	super(RbacPolicyTest, self).setUp()
				30
				31	current_directory = os.path.dirname(os.path.realpath(__file__))
				32	self.custom_policy_file = os.path.join(current_directory,
Felipe Monteiro	b059565	2017-01-23 16:51:58 -0500	[diff] [blame]	33	'resources',
DavidPurcell	029d8c3	2017-01-06 15:27:41 -0500	[diff] [blame]	34	'custom_rbac_policy.json')
Felipe Monteiro	b059565	2017-01-23 16:51:58 -0500	[diff] [blame]	35	self.admin_policy_file = os.path.join(current_directory,
				36	'resources',
				37	'admin_rbac_policy.json')
DavidPurcell	029d8c3	2017-01-06 15:27:41 -0500	[diff] [blame]	38
				39	def test_custom_policy(self):
				40	default_roles = ['zero', 'one', 'two', 'three', 'four',
				41	'five', 'six', 'seven', 'eight', 'nine']
DavidPurcell	029d8c3	2017-01-06 15:27:41 -0500	[diff] [blame]	42
Felipe Monteiro	b059565	2017-01-23 16:51:58 -0500	[diff] [blame]	43	converter = rbac_role_converter.RbacPolicyConverter(
				44	None, "test", self.custom_policy_file)
DavidPurcell	029d8c3	2017-01-06 15:27:41 -0500	[diff] [blame]	45
				46	expected = {
				47	'policy_action_1': ['two', 'four', 'six', 'eight'],
				48	'policy_action_2': ['one', 'three', 'five', 'seven', 'nine'],
				49	'policy_action_3': ['zero'],
				50	'policy_action_4': ['one', 'two', 'three', 'five', 'seven'],
				51	'policy_action_5': ['zero', 'one', 'two', 'three', 'four', 'five',
				52	'six', 'seven', 'eight', 'nine'],
				53	'policy_action_6': ['eight'],
				54	}
				55
				56	fake_rule = 'fake_rule'
				57
Felipe Monteiro	b059565	2017-01-23 16:51:58 -0500	[diff] [blame]	58	for role in default_roles:
				59	self.assertRaises(KeyError, converter.allowed, fake_rule, role)
DavidPurcell	029d8c3	2017-01-06 15:27:41 -0500	[diff] [blame]	60
Felipe Monteiro	b059565	2017-01-23 16:51:58 -0500	[diff] [blame]	61	for rule, role_list in expected.items():
				62	for role in role_list:
				63	self.assertTrue(converter.allowed(rule, role))
				64	for role in set(default_roles) - set(role_list):
				65	self.assertFalse(converter.allowed(rule, role))
				66
				67	def test_admin_policy_file_with_admin_role(self):
Felipe Monteiro	b059565	2017-01-23 16:51:58 -0500	[diff] [blame]	68	converter = rbac_role_converter.RbacPolicyConverter(
				69	None, "test", self.admin_policy_file)
				70
				71	role = 'admin'
				72	allowed_rules = [
				73	'admin_rule'
				74	]
				75	disallowed_rules = [
				76	'is_admin_rule', 'alt_admin_rule', 'non_admin_rule']
				77
				78	for rule in allowed_rules:
				79	allowed = converter.allowed(rule, role)
				80	self.assertTrue(allowed)
				81
				82	for rule in disallowed_rules:
				83	allowed = converter.allowed(rule, role)
				84	self.assertFalse(allowed)
				85
				86	def test_admin_policy_file_with_member_role(self):
Felipe Monteiro	b059565	2017-01-23 16:51:58 -0500	[diff] [blame]	87	converter = rbac_role_converter.RbacPolicyConverter(
				88	None, "test", self.admin_policy_file)
				89
				90	role = 'Member'
				91	allowed_rules = [
				92	'non_admin_rule'
				93	]
				94	disallowed_rules = [
				95	'admin_rule', 'is_admin_rule', 'alt_admin_rule']
				96
				97	for rule in allowed_rules:
				98	allowed = converter.allowed(rule, role)
				99	self.assertTrue(allowed)
				100
				101	for rule in disallowed_rules:
				102	allowed = converter.allowed(rule, role)
				103	self.assertFalse(allowed)