Blame - patrole_tempest_plugin/rbac_utils.py - packaging/sources/patrole

2017-01-06 15:27:41 -0500

[diff] [blame]

2

3

#

4

# Licensed under the Apache License, Version 2.0 (the "License"); you may

5

# not use this file except in compliance with the License. You may obtain

6

# a copy of the License at

7

#

8

# http://www.apache.org/licenses/LICENSE-2.0

9

#

10

# Unless required by applicable law or agreed to in writing, software

11

# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

12

# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

13

# License for the specific language governing permissions and limitations

14

# under the License.

15

Sergey Vilgelm

bab9e94

2018-10-11 14:04:48 -0500

[diff] [blame^]

16

import contextlib

Mykola Yakovliev

2018-08-06 15:34:22 -0500

[diff] [blame]

17

import sys

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

18

import time

Felipe Monteiro

2017-03-02 17:01:37 -0500

[diff] [blame]

19

Rajiv Kumar

645dfc9

2017-01-19 13:48:27 +0530

[diff] [blame]

20

from oslo_log import log as logging

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

21

from oslo_utils import excutils

Felipe Monteiro

2017-04-01 06:18:25 +0100

[diff] [blame]

22

Felipe Monteiro

3e14f47

2017-08-17 23:02:11 +0100

[diff] [blame]

23

from tempest import clients

Felipe Monteiro

e7e552e

2017-05-02 17:04:12 +0100

[diff] [blame]

24

from tempest.common import credentials_factory as credentials

Felipe Monteiro

2017-04-01 06:18:25 +0100

[diff] [blame]

25

from tempest import config

Felipe Monteiro

bf524fb

2018-10-03 09:03:35 -0500

[diff] [blame]

26

from tempest.lib import exceptions as lib_exc

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

27

Felipe Monteiro

2017-03-02 17:01:37 -0500

[diff] [blame]

28

from patrole_tempest_plugin import rbac_exceptions

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

29

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

30

CONF = config.CONF

Felipe Monteiro

2017-03-02 17:01:37 -0500

[diff] [blame]

31

LOG = logging.getLogger(__name__)

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

32

33

Sergey Vilgelm

bab9e94

2018-10-11 14:04:48 -0500

[diff] [blame^]

34

class _ValidateListContext(object):

35

"""Context class responsible for validation of the list functions.

36

37

This class is used in ``override_role_and_validate_list`` function and

38

the result of a list function must be assigned to the ``ctx.resources``

variable.

Example::

with self.rbac_utils.override_role_and_validate_list(...) as ctx:

44

ctx.resources = list_function()

45

46

"""

47

def __init__(self, admin_resources=None, admin_resource_id=None):

48

"""Constructor for ``ValidateListContext``.

49

50

Either ``admin_resources`` or ``admin_resource_id`` should be used,

51

not both.

52

53

:param list admin_resources: The list of resources received before

54

calling the ``override_role_and_validate_list`` function. To

55

validate will be used the ``_validate_len`` function.

56

:param UUID admin_resource_id: An ID of a resource created before

57

calling the ``override_role_and_validate_list`` function. To

58

validate will be used the ``_validate_resource`` function.

59

:raises RbacValidateListException: if both ``admin_resources`` and

60

``admin_resource_id`` are set or unset.

61

"""

62

self.resources = None

63

if admin_resources is not None and not admin_resource_id:

64

self._admin_len = len(admin_resources)

65

if not self._admin_len:

66

raise rbac_exceptions.RbacValidateListException(

67

reason="the list of admin resources cannot be empty")

68

self._validate_func = self._validate_len

69

elif admin_resource_id and admin_resources is None:

70

self._admin_resource_id = admin_resource_id

71

self._validate_func = self._validate_resource

72

else:

73

raise rbac_exceptions.RbacValidateListException(

74

reason="admin_resources and admin_resource_id are mutually "

75

"exclusive")

76

77

def _validate_len(self):

78

"""Validates that the number of resources is less than admin resources.

79

"""

80

if not len(self.resources):

81

raise rbac_exceptions.RbacEmptyResponseBody()

82

elif self._admin_len > len(self.resources):

83

raise rbac_exceptions.RbacPartialResponseBody(body=self.resources)

84

85

def _validate_resource(self):

86

"""Validates that the admin resource is present in the resources.

87

"""

88

for resource in self.resources:

89

if resource['id'] == self._admin_resource_id:

90

return

91

raise rbac_exceptions.RbacPartialResponseBody(body=self.resources)

92

93

def _validate(self):

94

"""Calls the proper validation function.

95

96

:raises RbacValidateListException: if the ``ctx.resources`` variable is

97

not assigned.

98

"""

99

if self.resources is None:

100

raise rbac_exceptions.RbacValidateListException(

101

reason="ctx.resources is not assigned")

102

self._validate_func()

103

104

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

105

class RbacUtils(object):

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

106

"""Utility class responsible for switching ``os_primary`` role.

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

107

108

This class is responsible for overriding the value of the primary Tempest

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

109

credential's role (i.e. ``os_primary`` role). By doing so, it is possible

110

to seamlessly swap between admin credentials, needed for setup and clean

111

up, and primary credentials, needed to perform the API call which does

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

112

policy enforcement. The primary credentials always cycle between roles

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

113

defined by ``CONF.identity.admin_role`` and

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

114

``CONF.patrole.rbac_test_roles``.

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

115

"""

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

116

Felipe Monteiro

b35de58

2017-05-05 00:16:53 +0100

[diff] [blame]

117

def __init__(self, test_obj):

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

118

"""Constructor for ``RbacUtils``.

119

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

120

:param test_obj: An instance of `tempest.test.BaseTestCase`.

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

121

"""

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

122

# Intialize the admin roles_client to perform role switching.

Felipe Monteiro

3e14f47

2017-08-17 23:02:11 +0100

[diff] [blame]

123

admin_mgr = clients.Manager(

124

credentials.get_configured_admin_credentials())

Felipe Monteiro

bf524fb

2018-10-03 09:03:35 -0500

[diff] [blame]

125

if CONF.identity_feature_enabled.api_v3:

Felipe Monteiro

3e14f47

2017-08-17 23:02:11 +0100

[diff] [blame]

126

admin_roles_client = admin_mgr.roles_v3_client

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

127

else:

Felipe Monteiro

bf524fb

2018-10-03 09:03:35 -0500

[diff] [blame]

128

raise lib_exc.InvalidConfiguration(

129

"Patrole role overriding only supports v3 identity API.")

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

130

131

self.admin_roles_client = admin_roles_client

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

132

133

self.user_id = test_obj.os_primary.credentials.user_id

134

self.project_id = test_obj.os_primary.credentials.tenant_id

135

136

# Change default role to admin

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

137

self._override_role(test_obj, False)

Felipe Monteiro

b35de58

2017-05-05 00:16:53 +0100

[diff] [blame]

138

Felipe Monteiro

2017-04-01 06:18:25 +0100

[diff] [blame]

139

admin_role_id = None

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

140

rbac_role_ids = None

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

141

Sergey Vilgelm

bab9e94

2018-10-11 14:04:48 -0500

[diff] [blame^]

142

@contextlib.contextmanager

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

143

def override_role(self, test_obj):

144

"""Override the role used by ``os_primary`` Tempest credentials.

145

146

Temporarily change the role used by ``os_primary`` credentials to:

Masayuki Igawa

80b9aab

2018-01-09 17:00:45 +0900

[diff] [blame]

147

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

148

* ``[patrole] rbac_test_roles`` before test execution

Masayuki Igawa

80b9aab

2018-01-09 17:00:45 +0900

[diff] [blame]

149

* ``[identity] admin_role`` after test execution

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

150

151

Automatically switches to admin role after test execution.

152

153

:param test_obj: Instance of ``tempest.test.BaseTestCase``.

:returns: None

.. warning::

This function can alter user roles for pre-provisioned credentials.

159

Work is underway to safely clean up after this function.

Example::

@rbac_rule_validation.action(service='test',

Felipe Monteiro

59f538f

2018-08-22 23:34:40 -0400

[diff] [blame]

164

rules=['a:test:rule'])

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

165

def test_foo(self):

166

# Allocate test-level resources here.

167

with self.rbac_utils.override_role(self):

melissaml

7cd2161

2018-05-23 21:00:50 +0800

[diff] [blame]

168

# The role for `os_primary` has now been overridden. Within

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

169

# this block, call the API endpoint that enforces the

170

# expected policy specified by "rule" in the decorator.

171

self.foo_service.bar_api_call()

172

# The role is switched back to admin automatically. Note that

173

# if the API call above threw an exception, any code below this

174

# point in the test is not executed.

175

"""

Mykola Yakovliev

2018-08-06 15:34:22 -0500

[diff] [blame]

176

test_obj._set_override_role_called()

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

177

self._override_role(test_obj, True)

try:

# Execute the test.

yield

finally:

Mykola Yakovliev

2018-08-06 15:34:22 -0500

[diff] [blame]

182

# Check whether an exception was raised. If so, remember that

183

# for future validation.

184

exc = sys.exc_info()[0]

185

if exc is not None:

186

test_obj._set_override_role_caught_exc()

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

187

# This code block is always executed, no matter the result of the

188

# test. Automatically switch back to the admin role for test clean

189

# up.

190

self._override_role(test_obj, False)

191

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

192

def _override_role(self, test_obj, toggle_rbac_role=False):

193

"""Private helper for overriding ``os_primary`` Tempest credentials.

194

Felipe Monteiro

2017-12-10 04:26:08 +0000

[diff] [blame]

195

:param test_obj: instance of :py:class:`tempest.test.BaseTestCase`

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

196

:param toggle_rbac_role: Boolean value that controls the role that

197

overrides default role of ``os_primary`` credentials.

198

* If True: role is set to ``[patrole] rbac_test_role``

199

* If False: role is set to ``[identity] admin_role``

200

"""

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

201

LOG.debug('Overriding role to: %s.', toggle_rbac_role)

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

202

roles_already_present = False

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

203

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

204

try:

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

205

if not all([self.admin_role_id, self.rbac_role_ids]):

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

206

self._get_roles_by_name()

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

207

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

208

target_roles = (self.rbac_role_ids

209

if toggle_rbac_role else [self.admin_role_id])

210

roles_already_present = self._list_and_clear_user_roles_on_project(

211

target_roles)

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

212

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

213

# Do not override roles if `target_role` already exists.

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

214

if not roles_already_present:

215

self._create_user_role_on_project(target_roles)

DavidPurcell

2017-01-06 15:27:41 -0500

[diff] [blame]

216

except Exception as exp:

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

217

with excutils.save_and_reraise_exception():

218

LOG.exception(exp)

Felipe Monteiro

2017-03-02 17:01:37 -0500

[diff] [blame]

219

finally:

Mykola Yakovliev

1d82978

2018-08-03 14:37:37 -0500

[diff] [blame]

220

auth_providers = test_obj.get_auth_providers()

221

for provider in auth_providers:

222

provider.clear_auth()

Felipe Monteiro

7be94e8

2017-07-26 02:17:08 +0100

[diff] [blame]

223

# Fernet tokens are not subsecond aware so sleep to ensure we are

224

# passing the second boundary before attempting to authenticate.

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

225

# Only sleep if a token revocation occurred as a result of role

Felipe Monteiro

2017-11-21 01:47:20 +0000

[diff] [blame]

226

# overriding. This will optimize test runtime in the case where

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

227

# ``[identity] admin_role`` == ``[patrole] rbac_test_roles``.

228

if not roles_already_present:

Rick Bartra

89f498f

2017-03-20 15:54:45 -0400

[diff] [blame]

229

time.sleep(1)

Mykola Yakovliev

1d82978

2018-08-03 14:37:37 -0500

[diff] [blame]

230

231

for provider in auth_providers:

232

provider.set_auth()

Felipe Monteiro

2017-03-02 17:01:37 -0500

[diff] [blame]

233

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

234

def _get_roles_by_name(self):

Felipe Monteiro

2018-06-15 18:26:27 -0400

[diff] [blame]

235

available_roles = self.admin_roles_client.list_roles()['roles']

236

role_map = {r['name']: r['id'] for r in available_roles}

237

LOG.debug('Available roles: %s', list(role_map.keys()))

Felipe Monteiro

2017-04-01 06:18:25 +0100

[diff] [blame]

238

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

239

rbac_role_ids = []

240

roles = CONF.patrole.rbac_test_roles

241

# TODO(vegasq) drop once CONF.patrole.rbac_test_role is removed

242

if CONF.patrole.rbac_test_role:

243

if not roles:

244

roles.append(CONF.patrole.rbac_test_role)

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

245

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

246

for role_name in roles:

247

rbac_role_ids.append(role_map.get(role_name))

248

249

admin_role_id = role_map.get(CONF.identity.admin_role)

250

251

if not all([admin_role_id, all(rbac_role_ids)]):

Felipe Monteiro

2018-06-15 18:26:27 -0400

[diff] [blame]

252

missing_roles = []

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

253

msg = ("Could not find `[patrole] rbac_test_roles` or "

Felipe Monteiro

2018-06-15 18:26:27 -0400

[diff] [blame]

254

"`[identity] admin_role`, both of which are required for "

255

"RBAC testing.")

256

if not admin_role_id:

257

missing_roles.append(CONF.identity.admin_role)

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

258

if not all(rbac_role_ids):

259

missing_roles += [role_name for role_name in roles

260

if not role_map.get(role_name)]

261

Felipe Monteiro

2018-06-15 18:26:27 -0400

[diff] [blame]

262

msg += " Following roles were not found: %s." % (

263

", ".join(missing_roles))

264

msg += " Available roles: %s." % ", ".join(list(role_map.keys()))

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

265

raise rbac_exceptions.RbacResourceSetupFailed(msg)

266

267

self.admin_role_id = admin_role_id

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

268

self.rbac_role_ids = rbac_role_ids

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

269

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

270

def _create_user_role_on_project(self, role_ids):

271

for role_id in role_ids:

272

self.admin_roles_client.create_user_role_on_project(

273

self.project_id, self.user_id, role_id)

Felipe Monteiro

2017-04-01 06:18:25 +0100

[diff] [blame]

274

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

275

def _list_and_clear_user_roles_on_project(self, role_ids):

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

276

roles = self.admin_roles_client.list_user_roles_on_project(

Felipe Monteiro

2017-04-01 06:18:25 +0100

[diff] [blame]

277

self.project_id, self.user_id)['roles']

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

278

all_role_ids = [role['id'] for role in roles]

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

279

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

280

# NOTE(felipemonteiro): We do not use ``role_id in all_role_ids`` here

281

# to avoid over-permission errors: if the current list of roles on the

Felipe Monteiro

2017-08-12 22:56:47 +0100

[diff] [blame]

282

# project includes "admin" and "Member", and we are switching to the

283

# "Member" role, then we must delete the "admin" role. Thus, we only

284

# return early if the user's roles on the project are an exact match.

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

285

if set(role_ids) == set(all_role_ids):

Felipe Monteiro

2017-04-01 06:18:25 +0100

[diff] [blame]

286

return True

Felipe Monteiro

b3b7bc8

2017-03-03 15:58:15 -0500

[diff] [blame]

287

288

for role in roles:

Felipe Monteiro

2017-07-19 20:52:20 +0100

[diff] [blame]

289

self.admin_roles_client.delete_role_from_user_on_project(

Felipe Monteiro

2017-04-01 06:18:25 +0100

[diff] [blame]

290

self.project_id, self.user_id, role['id'])

return False

Sergey Vilgelm

2018-10-11 14:04:48 -0500

[diff] [blame^]

294

@contextlib.contextmanager

295

def override_role_and_validate_list(self, test_obj, admin_resources=None,

296

admin_resource_id=None):

297

"""Call ``override_role`` and validate RBAC for a list API action.

298

299

List actions usually do soft authorization: partial or empty response

300

bodies are returned instead of exceptions. This helper validates

301

that unauthorized roles only return a subset of the available

302

resources.

303

Should only be used for validating list API actions.

304

305

:param test_obj: Instance of ``tempest.test.BaseTestCase``.

306

:param list admin_resources: The list of resources received before

307

calling the ``override_role_and_validate_list`` function.

308

:param UUID admin_resource_id: An ID of a resource created before

309

calling the ``override_role_and_validate_list`` function.

310

:return: py:class:`_ValidateListContext` object.

Example::

# the resource created by admin

315

admin_resource_id = (

316

self.ntp_client.create_dscp_marking_rule()

317

["dscp_marking_rule"]["id'])

318

with self.rbac_utils.override_role_and_validate_list(

319

self, admin_resource_id=admin_resource_id) as ctx:

320

# the list of resources available for member role

321

ctx.resources = self.ntp_client.list_dscp_marking_rules(

322

policy_id=self.policy_id)["dscp_marking_rules"]

323

"""

324

ctx = _ValidateListContext(admin_resources, admin_resource_id)

325

with self.override_role(test_obj):

yield ctx

ctx._validate()

Felipe Monteiro

2017-05-27 05:45:20 +0100

[diff] [blame]

329

Felipe Monteiro

2017-12-10 04:26:08 +0000

[diff] [blame]

330

class RbacUtilsMixin(object):

331

"""Mixin class to be used alongside an instance of

332

:py:class:`tempest.test.BaseTestCase`.

333

334

Should be used to perform Patrole class setup for a base RBAC class. Child

335

classes should not use this mixin.

Example::

class BaseRbacTest(rbac_utils.RbacUtilsMixin, base.BaseV2ComputeTest):

340

341

@classmethod

342

def skip_checks(cls):

343

super(BaseRbacTest, cls).skip_checks()

344

cls.skip_rbac_checks()

345

346

@classmethod

347

def setup_clients(cls):

348

super(BaseRbacTest, cls).setup_clients()

349

cls.setup_rbac_utils()

350

"""

351

Mykola Yakovliev

2018-08-06 15:34:22 -0500

[diff] [blame]

352

# Shows if override_role was called.

353

__override_role_called = False

354

# Shows if exception raised during override_role.

355

__override_role_caught_exc = False

356

Felipe Monteiro

2017-12-10 04:26:08 +0000

[diff] [blame]

357

@classmethod

Mykola Yakovliev

1d82978

2018-08-03 14:37:37 -0500

[diff] [blame]

358

def get_auth_providers(cls):

359

"""Returns list of auth_providers used within test.

360

361

Tests may redefine this method to include their own or third party

362

client auth_providers.

363

"""

364

return [cls.os_primary.auth_provider]

365

366

@classmethod

Felipe Monteiro

2017-12-10 04:26:08 +0000

[diff] [blame]

367

def setup_rbac_utils(cls):

368

cls.rbac_utils = RbacUtils(cls)

369

Mykola Yakovliev

2018-08-06 15:34:22 -0500

[diff] [blame]

370

def _set_override_role_called(self):

371

"""Helper for tracking whether ``override_role`` was called."""

372

self.__override_role_called = True

373

374

def _set_override_role_caught_exc(self):

375

"""Helper for tracking whether exception was thrown inside

376

``override_role``.

377

"""

378

self.__override_role_caught_exc = True

379

380

def _validate_override_role_called(self):

381

"""Idempotently validate that ``override_role`` is called and reset

382

its value to False for sequential tests.

383

"""

384

was_called = self.__override_role_called

385

self.__override_role_called = False

386

return was_called

387

388

def _validate_override_role_caught_exc(self):

389

"""Idempotently validate that exception was caught inside

390

``override_role``, so that, by process of elimination, it can be

391

determined whether one was thrown outside (which is invalid).

392

"""

393

caught_exception = self.__override_role_caught_exc

394

self.__override_role_caught_exc = False

395

return caught_exception

396

Felipe Monteiro

2017-12-10 04:26:08 +0000

[diff] [blame]

397

Felipe Monteiro

8a043fb

2017-08-06 06:29:05 +0100

[diff] [blame]

398

def is_admin():

399

"""Verifies whether the current test role equals the admin role.

400

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

401

:returns: True if ``rbac_test_roles`` contain the admin role.

Felipe Monteiro

8a043fb

2017-08-06 06:29:05 +0100

[diff] [blame]

402

"""

Mykola Yakovliev

2018-09-26 18:26:57 -0500

[diff] [blame]

403

roles = CONF.patrole.rbac_test_roles

404

# TODO(vegasq) drop once CONF.patrole.rbac_test_role is removed

405

if CONF.patrole.rbac_test_role:

406

roles.append(CONF.patrole.rbac_test_role)

407

roles = list(set(roles))

408

Felipe Monteiro

2018-06-15 18:26:27 -0400

[diff] [blame]

409

# TODO(felipemonteiro): Make this more robust via a context is admin

410

# lookup.

Mykola Yakovliev