Complete RBAC test coverage for Shipyard Document Staging API

This commmit completes RBAC coverage for Shipyard Document Staging API, for the APIs noted here [0]. For now, the goal is to meet the first use-case of this plugin, which is to test RBAC for Shipyard. With this in mind, for RBAC testing, we only care if a role has permission to an API in question. Therefore, some of the more complex APIs are 'short circuit' tests - meaning only RBAC permissions are checked and other expections are ignored. [0] http://airship-shipyard.readthedocs.io/en/latest/API.html#document-staging-api
2018-08-17 17:37:51 -04:00 · 2018-08-17 17:37:51 -04:00 · e7807b4caf
commit e7807b4caf
parent 6b87d7d633
5 changed files with 112 additions and 6 deletions
--- a/README.rst
+++ b/README.rst
@ -4,3 +4,11 @@ Tempest Integration of airship-tempest-plugin

 The purpose of this plugin is to provide automated tests
 for all OpenStack Airship components.
+
+DISCALIMER:
+This initial implementation is just to meet the first use case which is RBAC
+testing. For RBAC testing, we only need to hit the API endpoint and check
+role permission to the API being tested. Some of the REST clients will need to be
+rewritten if functional testing is desired. Those that need to be rewritten
+are documented in each service client code.
+
--- a/airship_tempest_plugin/README.rst
+++ b/airship_tempest_plugin/README.rst
@ -1,6 +0,0 @@
-===============================================
-Tempest Integration of airship-tempest-plugin
-===============================================
-
-This directory contains Tempest tests to cover the airship-tempest-plugin project.
-
--- a/airship_tempest_plugin/services/shipyard/json/document_staging_client.py
+++ b/airship_tempest_plugin/services/shipyard/json/document_staging_client.py
@ -23,6 +23,15 @@ from six.moves.urllib import parse as urllib

 from tempest.lib.common import rest_client

+# NOTE(rb560u): The following will need to be rewritten in the future if
+# functional testing is desired:
+#  - 'def post_configdocs`
+#  - `def get_configdocs_within_collection`
+#  - 'def post_commitconfigdocs'
+# This initial implementation is just to meet the first use case which is RBAC
+# testing. For RBAC testing, we only need to hit the API endpoint and check
+# role permission to that API.
+

 class DocumentStagingClient(rest_client.RestClient):
    api_version = "v1.0"
@ -32,3 +41,30 @@ class DocumentStagingClient(rest_client.RestClient):
        self.expected_success(200, resp.status)
        body = json.loads(body)
        return rest_client.ResponseBody(resp, body)
+
+    def post_configdocs(self):
+        url = "configdocs/1"
+        post_body = json.dumps({})
+        resp, body = self.post(url, post_body)
+        self.expected_success(201, resp.status)
+        body = json.loads(body)
+        return rest_client.ResponseBody(resp, body)
+
+    def get_configdocs_within_collection(self):
+        resp, body = self.get('configdocs/1')
+        self.expected_success(200, resp.status)
+        body = json.loads(body)
+        return rest_client.ResponseBody(resp, body)
+
+    def get_renderedconfigdocs(self):
+        resp, body = self.get('renderedconfigdocs')
+        self.expected_success(200, resp.status)
+        body = json.loads(body)
+        return rest_client.ResponseBody(resp, body)
+
+    def post_commitconfigdocs(self):
+        post_body = json.dumps({})
+        resp, body = self.post("commitconfigdocs", post_body)
+        self.expected_success(200, resp.status)
+        body = json.loads(body)
+        return rest_client.ResponseBody(resp, body)
--- a/airship_tempest_plugin/tests/api/common/rbac_roles.yaml
+++ b/airship_tempest_plugin/tests/api/common/rbac_roles.yaml
@ -11,3 +11,18 @@ shipyard:
    - admin
    - admin_ucp
    - admin_ucp_viewer
+  post_configdocs:
+    - admin
+    - admin_ucp
+  get_configdocs_within_collection:
+    - admin
+    - admin_ucp
+    - admin_ucp_viewer
+  get_renderedconfigdocs:
+    - admin
+    - admin_ucp
+    - admin_ucp_viewer
+  post_commitconfigdocs:
+    - admin
+    - admin_ucp
+    - admin_ucp_viewer
--- a/airship_tempest_plugin/tests/api/shipyard/rbac/test_document_staging_rbac.py
+++ b/airship_tempest_plugin/tests/api/shipyard/rbac/test_document_staging_rbac.py
@ -20,6 +20,7 @@ from patrole_tempest_plugin import rbac_rule_validation

 from tempest.common import utils
 from tempest.lib import decorators
+from tempest.lib import exceptions
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils

@ -33,3 +34,55 @@ class DocumentStagingRbacTest(rbac_base.BaseShipyardRbacTest):
    def test_get_configdocs(self):
        with self.rbac_utils.override_role(self):
            self.shipyard_document_staging_client.get_configdocs()
+
+    @rbac_rule_validation.action(service="shipyard",
+                                 rules=["post_configdocs"])
+    @decorators.idempotent_id('1a0daf92-9dba-470c-a317-66b41c0b3df7')
+    def test_post_configdocs(self):
+        with self.rbac_utils.override_role(self):
+            # As this is a RBAC test, we only care about whether the role has
+            # permission or not. Role permission is checked prior to validating
+            # the post body, therefore we will ignore a BadRequest exception
+            try:
+                self.shipyard_document_staging_client.post_configdocs()
+            except exceptions.BadRequest:
+                pass
+
+    @rbac_rule_validation.action(service="shipyard",
+                                 rules=["get_configdocs_within_collection"])
+    @decorators.idempotent_id('d64cfa75-3bbe-4688-8849-db5a54ce98ea')
+    def test_get_configdocs_within_collection(self):
+        with self.rbac_utils.override_role(self):
+            # As this is a RBAC test, we only care about whether the role has
+            # permission or not. Role permission is checked prior to validating
+            # the post body, therefore we will ignore a NotFound exception
+            try:
+                self.shipyard_document_staging_client.get_configdocs_within_collection()
+            except exceptions.NotFound:
+                pass
+
+    @rbac_rule_validation.action(service="shipyard",
+                                 rules=["get_renderedconfigdocs"])
+    @decorators.idempotent_id('0ab53b15-bce9-494f-9a11-34dd2c44d699')
+    def test_get_renderedconfigdocs(self):
+        with self.rbac_utils.override_role(self):
+            # As this is a RBAC test, we only care about whether the role has
+            # permission or not. Role permission is checked prior to validating
+            # the post body, therefore we will ignore a NotFound exception
+            try:
+                self.shipyard_document_staging_client.get_renderedconfigdocs()
+            except exceptions.NotFound:
+                pass
+
+    @rbac_rule_validation.action(service="shipyard",
+                                 rules=["post_commitconfigdocs"])
+    @decorators.idempotent_id('200d1cbf-ca11-4b92-9cfd-6cd2a90bc919')
+    def test_post_commitconfigdocs(self):
+        with self.rbac_utils.override_role(self):
+            # As this is a RBAC test, we only care about whether the role has
+            # permission or not. Role permission is checked prior to validating
+            # the post body, therefore we will ignore a Conflict exception
+            try:
+                self.shipyard_document_staging_client.post_commitconfigdocs()
+            except exceptions.Conflict:
+                pass