From 378efe61acd169f4edb5601df8d4cf972acd4813 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <douglas@redrobot.io>
Date: Fri, 15 Oct 2021 20:07:52 +0000
Subject: [PATCH] Add secure-rbac test for Container ACL API

This patch adds policy tests for the Containers ACL API.

Change-Id: I4e01c0e7f93f52c72faadb9d2a8317f9f553904b
---
 .../tests/rbac/v1/test_containers.py          | 76 ++++++++++++++++---
 1 file changed, 64 insertions(+), 12 deletions(-)

diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_containers.py b/barbican_tempest_plugin/tests/rbac/v1/test_containers.py
index 951a9a5..95b37a1 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_containers.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_containers.py
@@ -65,9 +65,8 @@ class BarbicanV1RbacContainers:
 
     @abc.abstractmethod
     def test_get_container_acl(self):
-        """Test get_container_acl policy
+        """Test GET /v1/containers/{container-id}/acl
 
-        Testing: GET /v1/containers/{container-id}/acl
         This test must check:
           * whether the persona can get a containers acl
         """
@@ -75,9 +74,8 @@ class BarbicanV1RbacContainers:
 
     @abc.abstractmethod
     def test_update_container_acl(self):
-        """Test update_container_acl policy
+        """Test PATCH /v1/containers/{container-id}/acl
 
-        Testing: PATCH /v1/containers/{container-id}/acl
         This test must check:
           * whether the persona can update an existing containers acl
         """
@@ -85,9 +83,8 @@ class BarbicanV1RbacContainers:
 
     @abc.abstractmethod
     def test_create_container_acl(self):
-        """Test create_container_acl policy
+        """Test PUT /v1/containers/{container-id}/acl
 
-        Testing: PUT /v1/containers/{container-id}/acl
         This test must check:
           * whether the persona can create a containers acl
         """
@@ -95,9 +92,8 @@ class BarbicanV1RbacContainers:
 
     @abc.abstractmethod
     def test_delete_container_acl(self):
-        """Test delete_container_acl policy
+        """Test DELETE /v1/containers/{container-id}/acl
 
-        Testing: DELETE /v1/containers/{container-id}/acl
         This test must check:
           * whether the persona can delete a containers acl
         """
@@ -183,6 +179,12 @@ class ProjectReaderTests(base.BarbicanV1RbacBase, BarbicanV1RbacContainers):
         self.container_id = self.create_test_container(
             self.container_client,
             data_utils.rand_name('test-containers'))
+        self.valid_acl = {
+            'read': {
+                'users': [self.other_secret_client.user_id],
+                'project-access': True
+            }
+        }
 
     def test_list_containers(self):
         self.assertRaises(
@@ -207,16 +209,30 @@ class ProjectReaderTests(base.BarbicanV1RbacBase, BarbicanV1RbacContainers):
             container_id=self.container_id)
 
     def test_get_container_acl(self):
-        pass
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.client.get_container_acl,
+            self.container_id)
 
     def test_update_container_acl(self):
-        pass
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.client.patch_container_acl,
+            self.container_id,
+            self.valid_acl)
 
     def test_create_container_acl(self):
-        pass
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.client.put_container_acl,
+            self.container_id,
+            self.valid_acl)
 
     def test_delete_container_acl(self):
-        pass
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.client.delete_container,
+            self.container_id)
 
     def test_list_container_consumers(self):
         resp = self.create_empty_container_admin(
@@ -329,6 +345,42 @@ class ProjectMemberTests(ProjectReaderTests):
                       for sr in resp['secret_refs']]
         self.assertNotIn(self.secret_id, secret_ids)
 
+    def test_get_container_acl(self):
+        resp = self.client.get_container_acl(self.container_id)
+        self.assertIn('read', resp.keys())
+
+    def test_create_container_acl(self):
+        _ = self.client.put_container_acl(self.container_id, self.valid_acl)
+
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertIn(self.other_secret_client.user_id, acl['read']['users'])
+
+    def test_update_container_acl(self):
+        _ = self.client.put_container_acl(self.container_id, self.valid_acl)
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertIn(self.other_secret_client.user_id, acl['read']['users'])
+        clear_users_acl = {
+            'read': {
+                'users': []
+            }
+        }
+
+        _ = self.client.patch_container_acl(self.container_id, clear_users_acl)
+
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertNotIn(self.other_secret_client.user_id,
+                         acl['read']['users'])
+
+    def test_delete_container_acl(self):
+        _ = self.client.put_container_acl(self.container_id, self.valid_acl)
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertIn(self.other_secret_client.user_id, acl['read']['users'])
+
+        _ = self.client.delete_container_acl(self.container_id)
+
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertNotIn('users', acl['read'].keys())
+
 
 class ProjectAdminTests(ProjectMemberTests):