From bf8a7d986a03592903725b2588fb67880e18686a Mon Sep 17 00:00:00 2001 From: Ricardo Rocha Date: Wed, 3 May 2017 11:47:05 +0200 Subject: [PATCH] Set clustertemplate:publish to admin only Set the clustertemplate:publish policy to be admin only by default - currently it is admin_or_user, which means any openstack user can create a public cluster template. Update tests for bay model and cluster template, splitting tests requiring admin credentials into a separate class. Change-Id: I0bfb57c569863f1ecf7d697cd5ac161a9a710432 Closes-Bug: #1687887 (cherry picked from commit 12052b1253782655397a26b1c50a0a2b7b539eaa) --- etc/magnum/policy.json | 4 +- .../tests/functional/api/v1/test_baymodel.py | 18 ++-- .../functional/api/v1/test_baymodel_admin.py | 80 +++++++++++++++++ .../api/v1/test_cluster_template.py | 19 ++-- .../api/v1/test_cluster_template_admin.py | 86 +++++++++++++++++++ 5 files changed, 180 insertions(+), 27 deletions(-) create mode 100644 magnum/tests/functional/api/v1/test_baymodel_admin.py create mode 100644 magnum/tests/functional/api/v1/test_cluster_template_admin.py diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json index 19552ab5ad..cb19ad7477 100644 --- a/etc/magnum/policy.json +++ b/etc/magnum/policy.json @@ -20,7 +20,7 @@ "baymodel:get": "rule:deny_cluster_user", "baymodel:get_all": "rule:deny_cluster_user", "baymodel:update": "rule:deny_cluster_user", - "baymodel:publish": "rule:admin_or_owner", + "baymodel:publish": "rule:admin_api", "cluster:create": "rule:deny_cluster_user", "cluster:delete": "rule:deny_cluster_user", @@ -35,7 +35,7 @@ "clustertemplate:get": "rule:deny_cluster_user", "clustertemplate:get_all": "rule:deny_cluster_user", "clustertemplate:update": "rule:deny_cluster_user", - "clustertemplate:publish": "rule:admin_or_owner", + "clustertemplate:publish": "rule:admin_api", "quotas:get": "rule:default", "quotas:get_all": "rule:admin_api", diff --git a/magnum/tests/functional/api/v1/test_baymodel.py b/magnum/tests/functional/api/v1/test_baymodel.py index 5dfaef9942..c95d38b164 100644 --- a/magnum/tests/functional/api/v1/test_baymodel.py +++ b/magnum/tests/functional/api/v1/test_baymodel.py @@ -75,11 +75,9 @@ class BayModelTest(base.BaseTempestTest): @testtools.testcase.attr('positive') def test_create_get_public_baymodel(self): gen_model = datagen.valid_swarm_baymodel(is_public=True) - resp, model = self._create_baymodel(gen_model) - - resp, model = self.baymodel_client.get_baymodel(model.uuid) - self.assertEqual(200, resp.status) - self.assertTrue(model.public) + self.assertRaises( + exceptions.Forbidden, + self.baymodel_client.post_baymodel, gen_model) @testtools.testcase.attr('positive') def test_update_baymodel_public_by_uuid(self): @@ -88,13 +86,9 @@ class BayModelTest(base.BaseTempestTest): resp, old_model = self._create_baymodel(gen_model) patch_model = datagen.baymodel_replace_patch_data(path, value=True) - resp, new_model = self.baymodel_client.patch_baymodel( - old_model.uuid, patch_model) - self.assertEqual(200, resp.status) - - resp, model = self.baymodel_client.get_baymodel(new_model.uuid) - self.assertEqual(200, resp.status) - self.assertTrue(model.public) + self.assertRaises( + exceptions.Forbidden, + self.baymodel_client.patch_baymodel, old_model.uuid, patch_model) @testtools.testcase.attr('positive') def test_update_baymodel_by_uuid(self): diff --git a/magnum/tests/functional/api/v1/test_baymodel_admin.py b/magnum/tests/functional/api/v1/test_baymodel_admin.py new file mode 100644 index 0000000000..9f8642ee95 --- /dev/null +++ b/magnum/tests/functional/api/v1/test_baymodel_admin.py @@ -0,0 +1,80 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +import testtools + +from magnum.tests.functional.api import base +from magnum.tests.functional.common import datagen + + +class BayModelAdminTest(base.BaseTempestTest): + + """Tests for baymodel admin operations.""" + + def __init__(self, *args, **kwargs): + super(BayModelAdminTest, self).__init__(*args, **kwargs) + self.baymodels = [] + self.baymodel_client = None + self.keypairs_client = None + + def setUp(self): + try: + super(BayModelAdminTest, self).setUp() + (self.baymodel_client, + self.keypairs_client) = self.get_clients_with_new_creds( + type_of_creds='admin', + request_type='baymodel') + except Exception: + self.tearDown() + raise + + def tearDown(self): + for baymodel_id in self.baymodels: + self._delete_baymodel(baymodel_id) + self.baymodels.remove(baymodel_id) + super(BayModelAdminTest, self).tearDown() + + def _create_baymodel(self, baymodel_model): + resp, model = self.baymodel_client.post_baymodel(baymodel_model) + self.assertEqual(201, resp.status) + self.baymodels.append(model.uuid) + return resp, model + + def _delete_baymodel(self, baymodel_id): + resp, model = self.baymodel_client.delete_baymodel(baymodel_id) + self.assertEqual(204, resp.status) + return resp, model + + @testtools.testcase.attr('positive') + def test_create_get_public_baymodel(self): + gen_model = datagen.valid_swarm_baymodel(is_public=True) + resp, model = self._create_baymodel(gen_model) + + resp, model = self.baymodel_client.get_baymodel(model.uuid) + self.assertEqual(200, resp.status) + self.assertTrue(model.public) + + @testtools.testcase.attr('positive') + def test_update_baymodel_public_by_uuid(self): + path = "/public" + gen_model = datagen.baymodel_data_with_valid_keypair_image_flavor() + resp, old_model = self._create_baymodel(gen_model) + + patch_model = datagen.baymodel_replace_patch_data(path, value=True) + resp, new_model = self.baymodel_client.patch_baymodel( + old_model.uuid, patch_model) + self.assertEqual(200, resp.status) + + resp, model = self.baymodel_client.get_baymodel(new_model.uuid) + self.assertEqual(200, resp.status) + self.assertTrue(model.public) diff --git a/magnum/tests/functional/api/v1/test_cluster_template.py b/magnum/tests/functional/api/v1/test_cluster_template.py index 29b8a441f6..b005373400 100644 --- a/magnum/tests/functional/api/v1/test_cluster_template.py +++ b/magnum/tests/functional/api/v1/test_cluster_template.py @@ -80,12 +80,9 @@ class ClusterTemplateTest(base.BaseTempestTest): @testtools.testcase.attr('positive') def test_create_get_public_cluster_template(self): gen_model = datagen.valid_swarm_cluster_template(is_public=True) - resp, model = self._create_cluster_template(gen_model) - - resp, model = \ - self.cluster_template_client.get_cluster_template(model.uuid) - self.assertEqual(200, resp.status) - self.assertTrue(model.public) + self.assertRaises( + exceptions.Forbidden, + self.cluster_template_client.post_cluster_template, gen_model) @testtools.testcase.attr('positive') def test_update_cluster_template_public_by_uuid(self): @@ -96,14 +93,10 @@ class ClusterTemplateTest(base.BaseTempestTest): patch_model = datagen.cluster_template_replace_patch_data(path, value=True) - resp, new_model = self.cluster_template_client.patch_cluster_template( + self.assertRaises( + exceptions.Forbidden, + self.cluster_template_client.patch_cluster_template, old_model.uuid, patch_model) - self.assertEqual(200, resp.status) - - resp, model = self.cluster_template_client.get_cluster_template( - new_model.uuid) - self.assertEqual(200, resp.status) - self.assertTrue(model.public) @testtools.testcase.attr('positive') def test_update_cluster_template_by_uuid(self): diff --git a/magnum/tests/functional/api/v1/test_cluster_template_admin.py b/magnum/tests/functional/api/v1/test_cluster_template_admin.py new file mode 100644 index 0000000000..22f4ee9efc --- /dev/null +++ b/magnum/tests/functional/api/v1/test_cluster_template_admin.py @@ -0,0 +1,86 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +import testtools + +from magnum.tests.functional.api import base +from magnum.tests.functional.common import datagen + + +class ClusterTemplateAdminTest(base.BaseTempestTest): + + """Tests for clustertemplate admin operations.""" + + def __init__(self, *args, **kwargs): + super(ClusterTemplateAdminTest, self).__init__(*args, **kwargs) + self.cluster_templates = [] + self.cluster_template_client = None + self.keypairs_client = None + + def setUp(self): + try: + super(ClusterTemplateAdminTest, self).setUp() + (self.cluster_template_client, + self.keypairs_client) = self.get_clients_with_new_creds( + type_of_creds='admin', + request_type='cluster_template') + except Exception: + self.tearDown() + raise + + def tearDown(self): + for cluster_template_id in self.cluster_templates: + self._delete_cluster_template(cluster_template_id) + self.cluster_templates.remove(cluster_template_id) + super(ClusterTemplateAdminTest, self).tearDown() + + def _create_cluster_template(self, cmodel_model): + resp, model = \ + self.cluster_template_client.post_cluster_template(cmodel_model) + self.assertEqual(201, resp.status) + self.cluster_templates.append(model.uuid) + return resp, model + + def _delete_cluster_template(self, model_id): + resp, model = \ + self.cluster_template_client.delete_cluster_template(model_id) + self.assertEqual(204, resp.status) + return resp, model + + @testtools.testcase.attr('positive') + def test_create_get_public_cluster_template(self): + gen_model = datagen.valid_swarm_cluster_template(is_public=True) + resp, model = self._create_cluster_template(gen_model) + + resp, model = \ + self.cluster_template_client.get_cluster_template(model.uuid) + self.assertEqual(200, resp.status) + self.assertTrue(model.public) + + @testtools.testcase.attr('positive') + def test_update_cluster_template_public_by_uuid(self): + path = "/public" + gen_model = \ + datagen.cluster_template_data_with_valid_keypair_image_flavor() + resp, old_model = self._create_cluster_template(gen_model) + + patch_model = datagen.cluster_template_replace_patch_data(path, + value=True) + resp, new_model = self.cluster_template_client.patch_cluster_template( + old_model.uuid, patch_model) + self.assertEqual(200, resp.status) + + resp, model = self.cluster_template_client.get_cluster_template( + new_model.uuid) + self.assertEqual(200, resp.status) + self.assertTrue(model.public)