| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 1 | RBAC Testing Validation |
| 2 | ======================= |
| 3 | |
| Felipe Monteiro | 0170c99 | 2018-07-31 20:10:05 -0400 | [diff] [blame] | 4 | .. _validation-workflow-overview: |
| Felipe Monteiro | 26b7e09 | 2018-07-27 22:15:27 +0100 | [diff] [blame] | 5 | |
| Felipe Monteiro | 0170c99 | 2018-07-31 20:10:05 -0400 | [diff] [blame] | 6 | ---------------------------- |
| 7 | Validation Workflow Overview |
| 8 | ---------------------------- |
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 9 | |
| 10 | RBAC testing validation is broken up into 3 stages: |
| 11 | |
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 12 | #. "Expected" stage. Determine whether the test should be able to succeed |
| Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame^] | 13 | or fail based on the test roles defined by ``[patrole] rbac_test_roles``) |
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 14 | and the policy action that the test enforces. |
| 15 | #. "Actual" stage. Run the test by calling the API endpoint that enforces |
| Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame^] | 16 | the expected policy action using the test roles. |
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 17 | #. Comparing the outputs from both stages for consistency. A "consistent" |
| 18 | result is treated as a pass and an "inconsistent" result is treated |
| 19 | as a failure. "Consistent" (or successful) cases include: |
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 20 | |
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 21 | * Expected result is ``True`` and the test passes. |
| 22 | * Expected result is ``False`` and the test fails. |
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 23 | |
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 24 | For example, a 200 from the API call and a ``True`` result from |
| 25 | ``oslo.policy`` or a 403 from the API call and a ``False`` result from |
| 26 | ``oslo.policy`` are successful results. |
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 27 | |
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 28 | "Inconsistent" (or failing) cases include: |
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 29 | |
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 30 | * Expected result is ``False`` and the test passes. This results in an |
| Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 31 | :class:`~rbac_exceptions.RbacOverPermissionException` exception |
| 32 | getting thrown. |
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 33 | * Expected result is ``True`` and the test fails. This results in a |
| Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 34 | :class:`~rbac_exceptions.RbacOverPermissionException` exception |
| 35 | getting thrown. |
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 36 | |
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 37 | For example, a 200 from the API call and a ``False`` result from |
| 38 | ``oslo.policy`` or a 403 from the API call and a ``True`` result from |
| 39 | ``oslo.policy`` are failing results. |
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 40 | |
| Felipe Monteiro | 0170c99 | 2018-07-31 20:10:05 -0400 | [diff] [blame] | 41 | .. warning:: |
| 42 | |
| 43 | Note that Patrole cannot currently derive the expected policy result for |
| 44 | service-specific ``oslo.policy`` `checks`_, like Neutron's `FieldCheck`_, |
| 45 | because such checks are contained within the service's code base itself, |
| 46 | which Patrole cannot import. |
| 47 | |
| 48 | .. _checks: https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#generic-checks |
| 49 | .. _FieldCheck: https://docs.openstack.org/neutron/pike/contributor/internals/policy.html#fieldcheck-verify-resource-attributes |
| 50 | |
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 51 | ------------------------------- |
| 52 | The RBAC Rule Validation Module |
| 53 | ------------------------------- |
| 54 | |
| 55 | High-level module that provides the decorator that wraps around Tempest tests |
| 56 | and serves as the entry point for RBAC testing validation. The workflow |
| 57 | described above is ultimately carried out by the decorator. |
| 58 | |
| 59 | For more information about this module, please see :ref:`rbac-validation`. |
| 60 | |
| 61 | --------------------------- |
| 62 | The Policy Authority Module |
| 63 | --------------------------- |
| 64 | |
| 65 | Module called by :ref:`rbac-validation` to verify whether the test |
| Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame^] | 66 | roles are allowed to execute a policy action by querying ``oslo.policy`` with |
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 67 | required test data. The result is used by :ref:`rbac-validation` as the |
| 68 | "Expected" result. |
| 69 | |
| 70 | For more information about this module, please see :ref:`policy-authority`. |
| 71 | |
| 72 | --------------------- |
| 73 | The RBAC Utils Module |
| 74 | --------------------- |
| 75 | |
| 76 | This module is responsible for handling role switching, the mechanism by which |
| 77 | Patrole is able to set up, tear down and execute APIs using the same set |
| 78 | of credentials. Every RBAC test must perform a role switch even if the role |
| 79 | that is being switched to is admin. |
| 80 | |
| 81 | For more information about this module, please see :ref:`rbac-utils`. |