Add more users/roles to secret/container RBAC tests

Completed the set of RBAC users by adding audit and creator users for group b, then add those users to the tests for secret and container GET tests. This completes the matrix of tests for secret and container GET. Updated the scripts to ensure the users get setup correctly in devstack and via keystone_data.sh. Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
2015-05-22 15:33:31 -05:00 · 2015-05-22 15:33:31 -05:00 · 5e82cbeaec
commit 5e82cbeaec
parent afde0a52b0
6 changed files with 80 additions and 1 deletions
--- a/bin/keystone_data.sh
+++ b/bin/keystone_data.sh
@ -135,6 +135,19 @@ if [[ "$ENABLED_SERVICES" =~ "barbican" ]]; then
        --user="$USER_ID" \
        --role="$ROLE_ADMIN_ID" \
        --tenant-id="$PROJECT_B_ID"
+
+    #
+    # Setup RBAC Creator of Project B
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_b_creator" \
+        --pass="$USER_PASSWORD" \
+        --email="creator_b@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_CREATOR_ID" \
+        --tenant-id="$PROJECT_B_ID"
+
    #
    # Setup RBAC Observer of Project B
    #
@ -146,6 +159,18 @@ if [[ "$ENABLED_SERVICES" =~ "barbican" ]]; then
        --user="$USER_ID" \
        --role="$ROLE_OBSERVER_ID" \
        --tenant-id="$PROJECT_B_ID"
+
+    #
+    # Setup RBAC Auditor of Project B
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_b_auditor" \
+        --pass="$USER_PASSWORD" \
+        --email="auditor_b@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_AUDIT_ID" \
+        --tenant-id="$PROJECT_B_ID"
    #
    # Setup Admin Endpoint
    #
--- a/contrib/devstack/lib/barbican
+++ b/contrib/devstack/lib/barbican
@ -280,6 +280,17 @@ function create_barbican_accounts {
        --role="$ROLE_ADMIN_ID" \
        --tenant-id="$PROJECT_B_ID"
    #
+    # Setup RBAC Creator of Project B
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_b_creator" \
+        --pass="$PASSWORD" \
+        --email="creator_b@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_CREATOR_ID" \
+        --tenant-id="$PROJECT_B_ID"
+    #
    # Setup RBAC Observer of Project B
    #
    USER_ID=$(get_id keystone user-create \
@ -291,6 +302,17 @@ function create_barbican_accounts {
        --role="$ROLE_OBSERVER_ID" \
        --tenant-id="$PROJECT_B_ID"
    #
+    # Setup RBAC auditor of Project B
+    #
+    USER_ID=$(get_id keystone user-create \
+        --name="project_b_auditor" \
+        --pass="$PASSWORD" \
+        --email="auditor_b@example.net")
+    keystone user-role-add \
+        --user="$USER_ID" \
+        --role="$ROLE_AUDIT_ID" \
+        --tenant-id="$PROJECT_B_ID"
+    #
    # Setup Admin Endpoint
    #
    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
--- a/etc/barbican/barbican-functional.conf
+++ b/etc/barbican/barbican-functional.conf
@ -14,6 +14,8 @@ domain_name=Default
 # Replace these values that represent additional users for RBAC testing
 project_a=project_a
 project_b=project_b
+
+# users for project_a
 admin_a=project_a_admin
 admin_a_password=barbican
 creator_a=project_a_creator
@ -22,10 +24,16 @@ observer_a=project_a_observer
 observer_a_password=barbican
 auditor_a=project_a_auditor
 auditor_a_password=barbican
+
+# users for project_b
 admin_b=project_b_admin
 admin_b_password=barbican
+creator_b=project_b_creator
+creator_b_password=barbican
 observer_b=project_b_observer
 observer_b_password=barbican
+auditor_b=project_b_auditor
+auditor_b_password=barbican

 [keymanager]

--- a/functionaltests/api/v1/functional/test_rbac.py
+++ b/functionaltests/api/v1/functional/test_rbac.py
@ -26,8 +26,11 @@ admin_a = CONF.rbac_users.admin_a
 creator_a = CONF.rbac_users.creator_a
 observer_a = CONF.rbac_users.observer_a
 auditor_a = CONF.rbac_users.auditor_a
+
 admin_b = CONF.rbac_users.admin_b
+creator_b = CONF.rbac_users.creator_b
 observer_b = CONF.rbac_users.observer_b
+auditor_b = CONF.rbac_users.auditor_b


 test_data_rbac_read_secret = {
@ -36,7 +39,9 @@ test_data_rbac_read_secret = {
    'with_observer_a': {'user': observer_a, 'expected_return': 200},
    'with_auditor_a': {'user': auditor_a, 'expected_return': 403},
    'with_admin_b': {'user': admin_b, 'expected_return': 403},
+    'with_creator_b': {'user': creator_b, 'expected_return': 403},
    'with_observer_b': {'user': observer_b, 'expected_return': 403},
+    'with_auditor_b': {'user': auditor_b, 'expected_return': 403},
 }


@ -46,7 +51,9 @@ test_data_rbac_read_container = {
    'with_observer_a': {'user': observer_a, 'expected_return': 200},
    'with_auditor_a': {'user': auditor_a, 'expected_return': 200},
    'with_admin_b': {'user': admin_b, 'expected_return': 403},
+    'with_creator_b': {'user': creator_b, 'expected_return': 403},
    'with_observer_b': {'user': observer_b, 'expected_return': 403},
+    'with_auditor_b': {'user': auditor_b, 'expected_return': 403},
 }


--- a/functionaltests/common/client.py
+++ b/functionaltests/common/client.py
@ -76,12 +76,24 @@ class BarbicanClient(object):
            username=CONF.rbac_users.admin_b,
            password=CONF.rbac_users.admin_b_password,
            project_name=CONF.rbac_users.project_b)
+        self._auth[CONF.rbac_users.creator_b] = auth.FunctionalTestAuth(
+            endpoint=CONF.identity.uri,
+            version=CONF.identity.version,
+            username=CONF.rbac_users.creator_b,
+            password=CONF.rbac_users.creator_b_password,
+            project_name=CONF.rbac_users.project_b)
        self._auth[CONF.rbac_users.observer_b] = auth.FunctionalTestAuth(
            endpoint=CONF.identity.uri,
            version=CONF.identity.version,
            username=CONF.rbac_users.observer_b,
            password=CONF.rbac_users.observer_b_password,
            project_name=CONF.rbac_users.project_b)
+        self._auth[CONF.rbac_users.auditor_b] = auth.FunctionalTestAuth(
+            endpoint=CONF.identity.uri,
+            version=CONF.identity.version,
+            username=CONF.rbac_users.auditor_b,
+            password=CONF.rbac_users.auditor_b_password,
+            project_name=CONF.rbac_users.project_b)

    def _attempt_to_stringify_content(self, content, content_tag):
        if content is None:
--- a/functionaltests/common/config.py
+++ b/functionaltests/common/config.py
@ -50,8 +50,13 @@ def setup_config(config_file=''):
        cfg.StrOpt('auditor_a_password', default='barbican'),
        cfg.StrOpt('admin_b', default='project_b_admin'),
        cfg.StrOpt('admin_b_password', default='barbican'),
+        cfg.StrOpt('creator_b', default='project_b_creator'),
+        cfg.StrOpt('creator_b_password', default='barbican'),
        cfg.StrOpt('observer_b', default='project_b_observer'),
-        cfg.StrOpt('observer_b_password', default='barbican')]
+        cfg.StrOpt('observer_b_password', default='barbican'),
+        cfg.StrOpt('auditor_b', default='project_b_auditor'),
+        cfg.StrOpt('auditor_b_password', default='barbican'),
+    ]
    TEST_CONF.register_group(rbac_users_group)
    TEST_CONF.register_opts(rbac_users_options, group=rbac_users_group)