Browse Source

Complete RBAC test coverage for Shipyard APIs

This commit adds the appropriate clients and tests for the following
Shipyard API actions:
  - `workflow_orchestrator:action_deploy_site`
  - `workflow_orchestrator:action_update_site`
  - `workflow_orchestrator:action_update_software`
  - `workflow_orchestrator:action_redeploy_server`
  - `workflow_orchestrator:get_site_statuses`

Change-Id: Ida48ec860dc7cd0842c65c662a50ec3d67c41b77
Rick Bartra 7 months ago
parent
commit
447f620765

+ 2
- 2
airship_tempest_plugin/services/shipyard/json/actions_client.py View File

@@ -39,10 +39,10 @@ class ActionsClient(rest_client.RestClient):
39 39
         body = json.loads(body)
40 40
         return rest_client.ResponseBody(resp, body)
41 41
 
42
-    def create_action(self):
42
+    def create_action(self, action=None):
43 43
         url = 'actions'
44 44
         # Update post_body if functional testing is desired
45
-        post_body = json.dumps({})
45
+        post_body = json.dumps({"name": action})
46 46
         resp, body = self.post(url, post_body)
47 47
         self.expected_success(201, resp.status)
48 48
         body = json.loads(body)

+ 34
- 0
airship_tempest_plugin/services/shipyard/json/site_statuses_client.py View File

@@ -0,0 +1,34 @@
1
+# Copyright 2018 AT&T Corp
2
+# All Rights Reserved.
3
+#
4
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
5
+#    not use this file except in compliance with the License. You may obtain
6
+#    a copy of the License at
7
+#
8
+#         http://www.apache.org/licenses/LICENSE-2.0
9
+#
10
+#    Unless required by applicable law or agreed to in writing, software
11
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13
+#    License for the specific language governing permissions and limitations
14
+#    under the License.
15
+#
16
+
17
+"""
18
+https://github.com/openstack/airship-shipyard/blob/master/docs/source/API.rst#site-statuses-api
19
+"""
20
+
21
+from oslo_serialization import jsonutils as json
22
+
23
+from tempest.lib.common import rest_client
24
+
25
+
26
+class SiteStatusesClient(rest_client.RestClient):
27
+    api_version = "v1.0"
28
+
29
+    # Note: add support of query filters if testing beyond RBAC is desired
30
+    def get_site_statuses(self):
31
+        resp, body = self.get('site_statuses')
32
+        self.expected_success(200, resp.status)
33
+        body = json.loads(body)
34
+        return rest_client.ResponseBody(resp, body)

+ 16
- 0
airship_tempest_plugin/tests/api/common/rbac_roles.yaml View File

@@ -6,6 +6,18 @@ shipyard:
6 6
   workflow_orchestrator:create_action:
7 7
     - admin
8 8
     - admin_ucp
9
+  workflow_orchestrator:action_deploy_site:
10
+    - admin
11
+    - admin_ucp
12
+  workflow_orchestrator:action_update_site:
13
+    - admin
14
+    - admin_ucp
15
+  workflow_orchestrator:action_update_software:
16
+    - admin
17
+    - admin_ucp
18
+  workflow_orchestrator:action_redeploy_server:
19
+    - admin
20
+    - admin_ucp
9 21
   workflow_orchestrator:get_action:
10 22
     - admin
11 23
     - admin_ucp
@@ -51,3 +63,7 @@ shipyard:
51 63
     - admin
52 64
     - admin_ucp
53 65
     - admin_ucp_viewer
66
+  workflow_orchestrator:get_site_statuses:
67
+    - admin
68
+    - admin_ucp
69
+    - admin_ucp_viewer

+ 7
- 0
airship_tempest_plugin/tests/api/shipyard/base.py View File

@@ -22,6 +22,8 @@ from airship_tempest_plugin.services.shipyard.json.document_staging_client \
22 22
     import DocumentStagingClient
23 23
 from airship_tempest_plugin.services.shipyard.json.log_retrieval_client \
24 24
     import LogRetrievalClient
25
+from airship_tempest_plugin.services.shipyard.json.site_statuses_client \
26
+    import SiteStatusesClient
25 27
 
26 28
 from tempest import config
27 29
 from tempest import test
@@ -65,3 +67,8 @@ class BaseShipyardTest(test.BaseTestCase):
65 67
             CONF.shipyard.catalog_type,
66 68
             CONF.identity.region,
67 69
             CONF.shipyard.endpoint_type)
70
+        cls.shipyard_site_statuses_client = SiteStatusesClient(
71
+            cls.auth_provider,
72
+            CONF.shipyard.catalog_type,
73
+            CONF.identity.region,
74
+            CONF.shipyard.endpoint_type)

+ 84
- 0
airship_tempest_plugin/tests/api/shipyard/rbac/test_actions_rbac.py View File

@@ -14,13 +14,19 @@
14 14
 #    under the License.
15 15
 #
16 16
 
17
+import logging
18
+
17 19
 from airship_tempest_plugin.tests.api.shipyard.rbac import rbac_base
18 20
 
19 21
 from patrole_tempest_plugin import rbac_rule_validation
20 22
 
23
+from tempest import config
21 24
 from tempest.lib import decorators
22 25
 from tempest.lib import exceptions
23 26
 
27
+CONF = config.CONF
28
+LOG = logging.getLogger(__name__)
29
+
24 30
 
25 31
 class ActionsRbacTest(rbac_base.BaseShipyardRbacTest):
26 32
 
@@ -47,6 +53,84 @@ class ActionsRbacTest(rbac_base.BaseShipyardRbacTest):
47 53
             except (exceptions.BadRequest, exceptions.NotFound):
48 54
                 pass
49 55
 
56
+    @rbac_rule_validation.action(
57
+        service="shipyard",
58
+        rules=["workflow_orchestrator:action_deploy_site"])
59
+    @decorators.idempotent_id('e69687da-8d4e-413b-a566-c0e56b5d1087')
60
+    def test_deploy_site(self):
61
+        with self.rbac_utils.override_role(self):
62
+            LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
63
+                     "is enforced first and if permission is denied, then "
64
+                     "there is no additional enforcement. If permission is "
65
+                     "allowed to `workflow_orchestrator:create_action`, then "
66
+                     "`workflow_orchestrator:action_deploy_site` is enforced. "
67
+                     " If this test fails, check permissions of both actions.")
68
+            try:
69
+                self.shipyard_actions_client.create_action(
70
+                    action="deploy_site")
71
+            # Ignore exceptions besides Forbidden
72
+            except (exceptions.BadRequest, exceptions.NotFound):
73
+                pass
74
+
75
+    @rbac_rule_validation.action(
76
+        service="shipyard",
77
+        rules=["workflow_orchestrator:action_update_site"])
78
+    @decorators.idempotent_id('95f3b377-99ae-4ac2-8ce3-1e52ca081abc')
79
+    def test_update_site(self):
80
+        with self.rbac_utils.override_role(self):
81
+            LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
82
+                     "is enforced first and if permission is denied, then "
83
+                     "there is no additional enforcement. If permission is "
84
+                     "allowed to `workflow_orchestrator:create_action`, then "
85
+                     "`workflow_orchestrator:action_update_site` is enforced. "
86
+                     " If this test fails, check permissions of both actions.")
87
+            try:
88
+                self.shipyard_actions_client.create_action(
89
+                    action="update_site")
90
+            # Ignore exceptions besides Forbidden
91
+            except (exceptions.BadRequest, exceptions.NotFound):
92
+                pass
93
+
94
+    @rbac_rule_validation.action(
95
+        service="shipyard",
96
+        rules=["workflow_orchestrator:action_update_software"])
97
+    @decorators.idempotent_id('18fae927-e759-4a60-bceb-81807b9f2c10')
98
+    def test_update_software(self):
99
+        with self.rbac_utils.override_role(self):
100
+            LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
101
+                     "is enforced first and if permission is denied, then "
102
+                     "there is no additional enforcement. If permission is "
103
+                     "allowed to `workflow_orchestrator:create_action`, then "
104
+                     "`workflow_orchestrator:action_update_software` is "
105
+                     "enforced. If this test fails, check permissions of both "
106
+                     "actions.")
107
+            try:
108
+                self.shipyard_actions_client.create_action(
109
+                    action="update_software")
110
+            # Ignore exceptions besides Forbidden
111
+            except (exceptions.BadRequest, exceptions.NotFound):
112
+                pass
113
+
114
+    @rbac_rule_validation.action(
115
+        service="shipyard",
116
+        rules=["workflow_orchestrator:action_redeploy_server"])
117
+    @decorators.idempotent_id('bba1eb77-c350-4c3b-b62d-3eea8bc13110')
118
+    def test_redeploy_server(self):
119
+        with self.rbac_utils.override_role(self):
120
+            LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
121
+                     "is enforced first and if permission is denied, then "
122
+                     "there is no additional enforcement. If permission is "
123
+                     "allowed to `workflow_orchestrator:create_action`, then "
124
+                     "`workflow_orchestrator:action_redeploy_server` is "
125
+                     "enforced. If this test fails, check permissions of both "
126
+                     "actions.")
127
+            try:
128
+                self.shipyard_actions_client.create_action(
129
+                    action="redeploy_server")
130
+            # Ignore exceptions besides Forbidden
131
+            except (exceptions.BadRequest, exceptions.NotFound):
132
+                pass
133
+
50 134
     @rbac_rule_validation.action(
51 135
         service="shipyard",
52 136
         rules=["workflow_orchestrator:get_action"])

+ 39
- 0
airship_tempest_plugin/tests/api/shipyard/rbac/test_site_statuses.py View File

@@ -0,0 +1,39 @@
1
+# Copyright 2018 AT&T Corp
2
+# All Rights Reserved.
3
+#
4
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
5
+#    not use this file except in compliance with the License. You may obtain
6
+#    a copy of the License at
7
+#
8
+#         http://www.apache.org/licenses/LICENSE-2.0
9
+#
10
+#    Unless required by applicable law or agreed to in writing, software
11
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13
+#    License for the specific language governing permissions and limitations
14
+#    under the License.
15
+#
16
+
17
+from airship_tempest_plugin.tests.api.shipyard.rbac import rbac_base
18
+
19
+from patrole_tempest_plugin import rbac_rule_validation
20
+
21
+from tempest.lib import decorators
22
+from tempest.lib import exceptions
23
+
24
+
25
+class SiteStatusesRbacTest(rbac_base.BaseShipyardRbacTest):
26
+
27
+    @rbac_rule_validation.action(
28
+        service="shipyard",
29
+        rules=["workflow_orchestrator:get_site_statuses"])
30
+    @decorators.idempotent_id('3fcc69f6-8e15-4062-b582-2e5c366a6dc3')
31
+    def test_get_site_statuses(self):
32
+        with self.rbac_utils.override_role(self):
33
+            # As this is a RBAC test, we only care about whether the role has
34
+            # permission or not. Role permission is checked prior to validating
35
+            # the post body, therefore we will ignore a BadRequest exception
36
+            try:
37
+                self.shipyard_site_statuses_client.get_site_statuses()
38
+            except exceptions.BadRequest:
39
+                pass

Loading…
Cancel
Save