| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 1 | RBAC Testing Validation | 
|  | 2 | ======================= | 
|  | 3 |  | 
| Felipe Monteiro | 0170c99 | 2018-07-31 20:10:05 -0400 | [diff] [blame] | 4 | .. _validation-workflow-overview: | 
| Felipe Monteiro | 26b7e09 | 2018-07-27 22:15:27 +0100 | [diff] [blame] | 5 |  | 
| Felipe Monteiro | 0170c99 | 2018-07-31 20:10:05 -0400 | [diff] [blame] | 6 | ---------------------------- | 
|  | 7 | Validation Workflow Overview | 
|  | 8 | ---------------------------- | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 9 |  | 
|  | 10 | RBAC testing validation is broken up into 3 stages: | 
|  | 11 |  | 
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 12 | #. "Expected" stage. Determine whether the test should be able to succeed | 
| Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 13 | or fail based on the test roles defined by ``[patrole] rbac_test_roles``) | 
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 14 | and the policy action that the test enforces. | 
|  | 15 | #. "Actual" stage. Run the test by calling the API endpoint that enforces | 
| Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 16 | the expected policy action using the test roles. | 
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 17 | #. Comparing the outputs from both stages for consistency. A "consistent" | 
|  | 18 | result is treated as a pass and an "inconsistent" result is treated | 
|  | 19 | as a failure. "Consistent" (or successful) cases include: | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 20 |  | 
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 21 | * Expected result is ``True`` and the test passes. | 
|  | 22 | * Expected result is ``False`` and the test fails. | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 23 |  | 
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 24 | For example, a 200 from the API call and a ``True`` result from | 
|  | 25 | ``oslo.policy`` or a 403 from the API call and a ``False`` result from | 
|  | 26 | ``oslo.policy`` are successful results. | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 27 |  | 
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 28 | "Inconsistent" (or failing) cases include: | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 29 |  | 
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 30 | * Expected result is ``False`` and the test passes. This results in an | 
| Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 31 | :class:`~rbac_exceptions.RbacOverPermissionException` exception | 
|  | 32 | getting thrown. | 
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 33 | * Expected result is ``True`` and the test fails. This results in a | 
| Felipe Monteiro | f16b6b3 | 2018-06-28 19:32:59 -0400 | [diff] [blame] | 34 | :class:`~rbac_exceptions.RbacOverPermissionException` exception | 
|  | 35 | getting thrown. | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 36 |  | 
| Masayuki Igawa | 80b9aab | 2018-01-09 17:00:45 +0900 | [diff] [blame] | 37 | For example, a 200 from the API call and a ``False`` result from | 
|  | 38 | ``oslo.policy`` or a 403 from the API call and a ``True`` result from | 
|  | 39 | ``oslo.policy`` are failing results. | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 40 |  | 
| Felipe Monteiro | 0170c99 | 2018-07-31 20:10:05 -0400 | [diff] [blame] | 41 | .. warning:: | 
|  | 42 |  | 
|  | 43 | Note that Patrole cannot currently derive the expected policy result for | 
|  | 44 | service-specific ``oslo.policy`` `checks`_, like Neutron's `FieldCheck`_, | 
|  | 45 | because such checks are contained within the service's code base itself, | 
|  | 46 | which Patrole cannot import. | 
|  | 47 |  | 
|  | 48 | .. _checks: https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#generic-checks | 
|  | 49 | .. _FieldCheck: https://docs.openstack.org/neutron/pike/contributor/internals/policy.html#fieldcheck-verify-resource-attributes | 
|  | 50 |  | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 51 | ------------------------------- | 
|  | 52 | The RBAC Rule Validation Module | 
|  | 53 | ------------------------------- | 
|  | 54 |  | 
|  | 55 | High-level module that provides the decorator that wraps around Tempest tests | 
|  | 56 | and serves as the entry point for RBAC testing validation. The workflow | 
|  | 57 | described above is ultimately carried out by the decorator. | 
|  | 58 |  | 
|  | 59 | For more information about this module, please see :ref:`rbac-validation`. | 
|  | 60 |  | 
|  | 61 | --------------------------- | 
|  | 62 | The Policy Authority Module | 
|  | 63 | --------------------------- | 
|  | 64 |  | 
|  | 65 | Module called by :ref:`rbac-validation` to verify whether the test | 
| Mykola Yakovliev | e0f3550 | 2018-09-26 18:26:57 -0500 | [diff] [blame] | 66 | roles are allowed to execute a policy action by querying ``oslo.policy`` with | 
| Felipe Monteiro | c8ec1f6 | 2017-11-15 08:32:56 +0000 | [diff] [blame] | 67 | required test data. The result is used by :ref:`rbac-validation` as the | 
|  | 68 | "Expected" result. | 
|  | 69 |  | 
|  | 70 | For more information about this module, please see :ref:`policy-authority`. | 
|  | 71 |  | 
|  | 72 | --------------------- | 
|  | 73 | The RBAC Utils Module | 
|  | 74 | --------------------- | 
|  | 75 |  | 
|  | 76 | This module is responsible for handling role switching, the mechanism by which | 
|  | 77 | Patrole is able to set up, tear down and execute APIs using the same set | 
|  | 78 | of credentials. Every RBAC test must perform a role switch even if the role | 
|  | 79 | that is being switched to is admin. | 
|  | 80 |  | 
|  | 81 | For more information about this module, please see :ref:`rbac-utils`. |