From 5e82cbeaecf34524d20e62113e3276d091f8761a Mon Sep 17 00:00:00 2001 From: Steve Heyman Date: Fri, 22 May 2015 15:33:31 -0500 Subject: [PATCH] Add more users/roles to secret/container RBAC tests Completed the set of RBAC users by adding audit and creator users for group b, then add those users to the tests for secret and container GET tests. This completes the matrix of tests for secret and container GET. Updated the scripts to ensure the users get setup correctly in devstack and via keystone_data.sh. Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e --- bin/keystone_data.sh | 25 +++++++++++++++++++ contrib/devstack/lib/barbican | 22 ++++++++++++++++ etc/barbican/barbican-functional.conf | 8 ++++++ .../api/v1/functional/test_rbac.py | 7 ++++++ functionaltests/common/client.py | 12 +++++++++ functionaltests/common/config.py | 7 +++++- 6 files changed, 80 insertions(+), 1 deletion(-) diff --git a/bin/keystone_data.sh b/bin/keystone_data.sh index 3e2c57ea5..68dba2b3b 100755 --- a/bin/keystone_data.sh +++ b/bin/keystone_data.sh @@ -135,6 +135,19 @@ if [[ "$ENABLED_SERVICES" =~ "barbican" ]]; then --user="$USER_ID" \ --role="$ROLE_ADMIN_ID" \ --tenant-id="$PROJECT_B_ID" + + # + # Setup RBAC Creator of Project B + # + USER_ID=$(get_id keystone user-create \ + --name="project_b_creator" \ + --pass="$USER_PASSWORD" \ + --email="creator_b@example.net") + keystone user-role-add \ + --user="$USER_ID" \ + --role="$ROLE_CREATOR_ID" \ + --tenant-id="$PROJECT_B_ID" + # # Setup RBAC Observer of Project B # @@ -146,6 +159,18 @@ if [[ "$ENABLED_SERVICES" =~ "barbican" ]]; then --user="$USER_ID" \ --role="$ROLE_OBSERVER_ID" \ --tenant-id="$PROJECT_B_ID" + + # + # Setup RBAC Auditor of Project B + # + USER_ID=$(get_id keystone user-create \ + --name="project_b_auditor" \ + --pass="$USER_PASSWORD" \ + --email="auditor_b@example.net") + keystone user-role-add \ + --user="$USER_ID" \ + --role="$ROLE_AUDIT_ID" \ + --tenant-id="$PROJECT_B_ID" # # Setup Admin Endpoint # diff --git a/contrib/devstack/lib/barbican b/contrib/devstack/lib/barbican index a853a0e81..164033d70 100755 --- a/contrib/devstack/lib/barbican +++ b/contrib/devstack/lib/barbican @@ -280,6 +280,17 @@ function create_barbican_accounts { --role="$ROLE_ADMIN_ID" \ --tenant-id="$PROJECT_B_ID" # + # Setup RBAC Creator of Project B + # + USER_ID=$(get_id keystone user-create \ + --name="project_b_creator" \ + --pass="$PASSWORD" \ + --email="creator_b@example.net") + keystone user-role-add \ + --user="$USER_ID" \ + --role="$ROLE_CREATOR_ID" \ + --tenant-id="$PROJECT_B_ID" + # # Setup RBAC Observer of Project B # USER_ID=$(get_id keystone user-create \ @@ -291,6 +302,17 @@ function create_barbican_accounts { --role="$ROLE_OBSERVER_ID" \ --tenant-id="$PROJECT_B_ID" # + # Setup RBAC auditor of Project B + # + USER_ID=$(get_id keystone user-create \ + --name="project_b_auditor" \ + --pass="$PASSWORD" \ + --email="auditor_b@example.net") + keystone user-role-add \ + --user="$USER_ID" \ + --role="$ROLE_AUDIT_ID" \ + --tenant-id="$PROJECT_B_ID" + # # Setup Admin Endpoint # if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/etc/barbican/barbican-functional.conf b/etc/barbican/barbican-functional.conf index c9ddf3a61..a2c36ee00 100644 --- a/etc/barbican/barbican-functional.conf +++ b/etc/barbican/barbican-functional.conf @@ -14,6 +14,8 @@ domain_name=Default # Replace these values that represent additional users for RBAC testing project_a=project_a project_b=project_b + +# users for project_a admin_a=project_a_admin admin_a_password=barbican creator_a=project_a_creator @@ -22,10 +24,16 @@ observer_a=project_a_observer observer_a_password=barbican auditor_a=project_a_auditor auditor_a_password=barbican + +# users for project_b admin_b=project_b_admin admin_b_password=barbican +creator_b=project_b_creator +creator_b_password=barbican observer_b=project_b_observer observer_b_password=barbican +auditor_b=project_b_auditor +auditor_b_password=barbican [keymanager] diff --git a/functionaltests/api/v1/functional/test_rbac.py b/functionaltests/api/v1/functional/test_rbac.py index 4afef29f9..193be506a 100644 --- a/functionaltests/api/v1/functional/test_rbac.py +++ b/functionaltests/api/v1/functional/test_rbac.py @@ -26,8 +26,11 @@ admin_a = CONF.rbac_users.admin_a creator_a = CONF.rbac_users.creator_a observer_a = CONF.rbac_users.observer_a auditor_a = CONF.rbac_users.auditor_a + admin_b = CONF.rbac_users.admin_b +creator_b = CONF.rbac_users.creator_b observer_b = CONF.rbac_users.observer_b +auditor_b = CONF.rbac_users.auditor_b test_data_rbac_read_secret = { @@ -36,7 +39,9 @@ test_data_rbac_read_secret = { 'with_observer_a': {'user': observer_a, 'expected_return': 200}, 'with_auditor_a': {'user': auditor_a, 'expected_return': 403}, 'with_admin_b': {'user': admin_b, 'expected_return': 403}, + 'with_creator_b': {'user': creator_b, 'expected_return': 403}, 'with_observer_b': {'user': observer_b, 'expected_return': 403}, + 'with_auditor_b': {'user': auditor_b, 'expected_return': 403}, } @@ -46,7 +51,9 @@ test_data_rbac_read_container = { 'with_observer_a': {'user': observer_a, 'expected_return': 200}, 'with_auditor_a': {'user': auditor_a, 'expected_return': 200}, 'with_admin_b': {'user': admin_b, 'expected_return': 403}, + 'with_creator_b': {'user': creator_b, 'expected_return': 403}, 'with_observer_b': {'user': observer_b, 'expected_return': 403}, + 'with_auditor_b': {'user': auditor_b, 'expected_return': 403}, } diff --git a/functionaltests/common/client.py b/functionaltests/common/client.py index 082d53809..394b5ccd1 100644 --- a/functionaltests/common/client.py +++ b/functionaltests/common/client.py @@ -76,12 +76,24 @@ class BarbicanClient(object): username=CONF.rbac_users.admin_b, password=CONF.rbac_users.admin_b_password, project_name=CONF.rbac_users.project_b) + self._auth[CONF.rbac_users.creator_b] = auth.FunctionalTestAuth( + endpoint=CONF.identity.uri, + version=CONF.identity.version, + username=CONF.rbac_users.creator_b, + password=CONF.rbac_users.creator_b_password, + project_name=CONF.rbac_users.project_b) self._auth[CONF.rbac_users.observer_b] = auth.FunctionalTestAuth( endpoint=CONF.identity.uri, version=CONF.identity.version, username=CONF.rbac_users.observer_b, password=CONF.rbac_users.observer_b_password, project_name=CONF.rbac_users.project_b) + self._auth[CONF.rbac_users.auditor_b] = auth.FunctionalTestAuth( + endpoint=CONF.identity.uri, + version=CONF.identity.version, + username=CONF.rbac_users.auditor_b, + password=CONF.rbac_users.auditor_b_password, + project_name=CONF.rbac_users.project_b) def _attempt_to_stringify_content(self, content, content_tag): if content is None: diff --git a/functionaltests/common/config.py b/functionaltests/common/config.py index f0a3cb407..748afa0b0 100644 --- a/functionaltests/common/config.py +++ b/functionaltests/common/config.py @@ -50,8 +50,13 @@ def setup_config(config_file=''): cfg.StrOpt('auditor_a_password', default='barbican'), cfg.StrOpt('admin_b', default='project_b_admin'), cfg.StrOpt('admin_b_password', default='barbican'), + cfg.StrOpt('creator_b', default='project_b_creator'), + cfg.StrOpt('creator_b_password', default='barbican'), cfg.StrOpt('observer_b', default='project_b_observer'), - cfg.StrOpt('observer_b_password', default='barbican')] + cfg.StrOpt('observer_b_password', default='barbican'), + cfg.StrOpt('auditor_b', default='project_b_auditor'), + cfg.StrOpt('auditor_b_password', default='barbican'), + ] TEST_CONF.register_group(rbac_users_group) TEST_CONF.register_opts(rbac_users_options, group=rbac_users_group)