Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / tempest / f749cd7b1a44f426eb90be15383815d29db1c21d^! / .
commitf749cd7b1a44f426eb90be15383815d29db1c21d[log] [tgz]
authorSean Dague <sean@dague.net>Wed Oct 14 08:21:59 2015 -0400
committerSean Dague <sean@dague.net>Fri Oct 16 10:56:51 2015 -0400
tree115278b470eaa96b5be6f45adcb6def850523bde
parentfda037385c0d5fe001cf097637a160242a25f797 [diff]
skip compute alt tenant tests if no project_id in url

A set of the alt tenant tests in Tempest assume that you can route a
request to an alternate tenant by changing the service url. This is
only true if the project_id is part of the service url. We're moving
to a model where that will be optional in Nova, in which case these
tests don't test what they think they are doing.

Put in a simple check that if client.base_url == alt_client.base_url
then these tests won't work as expected, and skip them.

Redo comments as documentation for the tests touched.

Change-Id: I12d41255e7b809111fd26eb6588ea24e9b4cb3af

diff --git a/tempest/api/compute/test_authorization.py b/tempest/api/compute/test_authorization.py
index 484c156..f8d0cca 100644
--- a/tempest/api/compute/test_authorization.py
+++ b/tempest/api/compute/test_authorization.py

@@ -186,6 +186,14 @@
 
     @test.idempotent_id('acf8724b-142b-4044-82c3-78d31a533f24')
     def test_create_server_fails_when_tenant_incorrect(self):
+        # BUG(sdague): this test should fail because of bad auth url,
+        # which means that when we run with a service catalog without
+        # project_id in the urls, it should fail to fail, and thus
+        # fail the test. It does not.
+        #
+        # The 400 BadRequest is clearly ambiguous, and something else
+        # is wrong about this request. This should be fixed.
+        #
         # A create server request should fail if the tenant id does not match
         # the current user
         # Change the base URL to impersonate another user
@@ -199,9 +207,22 @@
 
     @test.idempotent_id('f03d1ded-7fd4-4d29-bc13-e2391f29c625')
     def test_create_keypair_in_analt_user_tenant(self):
-        # A create keypair request should fail if the tenant id does not match
-        # the current user
-        # POST keypair with other user tenant
+        """create keypair should not function for alternate tenant
+
+        POST {alt_service_url}/os-keypairs
+
+        Attempt to create a keypair against an alternate tenant by
+        changing using a different tenant's service url. This should
+        return a BadRequest. This tests basic tenant isolation protections.
+
+        NOTE(sdague): if the environment does not use project_id in
+        the service urls, this test is not valid. Skip under these
+        conditions.
+
+        """
+        if self.alt_keypairs_client.base_url == self.keypairs_client.base_url:
+            raise self.skipException("Service urls don't include project_id")
+
         k_name = data_utils.rand_name('keypair')
         try:
             # Change the base URL to impersonate another user
@@ -250,9 +271,23 @@
 
     @test.idempotent_id('752c917e-83be-499d-a422-3559127f7d3c')
     def test_create_security_group_in_analt_user_tenant(self):
-        # A create security group request should fail if the tenant id does not
-        # match the current user
-        # POST security group with other user tenant
+        """create security group should not function for alternate tenant
+
+        POST {alt_service_url}/os-security-groups
+
+        Attempt to create a security group against an alternate tenant
+        by changing using a different tenant's service url. This
+        should return a BadRequest. This tests basic tenant isolation
+        protections.
+
+        NOTE(sdague): if the environment does not use project_id in
+        the service urls, this test is not valid. Skip under these
+        conditions.
+
+        """
+        if self.alt_security_client.base_url == self.security_client.base_url:
+            raise self.skipException("Service urls don't include project_id")
+
         s_name = data_utils.rand_name('security')
         s_description = data_utils.rand_name('security')
         try:
@@ -289,9 +324,23 @@
 
     @test.idempotent_id('b2b76de0-210a-4089-b921-591c9ec552f6')
     def test_create_security_group_rule_in_analt_user_tenant(self):
-        # A create security group rule request should fail if the tenant id
-        # does not match the current user
-        # POST security group rule with other user tenant
+        """create security group rule should not function for alternate tenant
+
+        POST {alt_service_url}/os-security-group-rules
+
+        Attempt to create a security group rule against an alternate
+        tenant by changing using a different tenant's service
+        url. This should return a BadRequest. This tests basic tenant
+        isolation protections.
+
+        NOTE(sdague): if the environment does not use project_id in
+        the service urls, this test is not valid. Skip under these
+        conditions.
+
+        """
+        if self.alt_security_client.base_url == self.security_client.base_url:
+            raise self.skipException("Service urls don't include project_id")
+
         parent_group_id = self.security_group['id']
         ip_protocol = 'icmp'
         from_port = -1