Expect 404 for unauthorized share access

As a fix to bug #1901210, manila's API now responds with a 404 if a user doesn't have access to a non-public share to prevent an existence detection attack. Since manila tempest tests can be used for older branches without the fix, we must accommodate both error codes - 403 and 404 in our tests for a while. Change-Id: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4 Partial-Bug: #1901210 Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2022-09-15 09:36:32 -07:00 · 2022-09-15 09:36:32 -07:00 · a90e3251d6
parent 2b3fcc571f
commit a90e3251d6
2 changed files with 10 additions and 4 deletions
--- a/manila_tempest_tests/tests/api/admin/test_admin_actions_negative.py
+++ b/manila_tempest_tests/tests/api/admin/test_admin_actions_negative.py
@ -82,8 +82,11 @@ class AdminActionsNegativeTest(base.BaseSharesMixedTest):
    @decorators.idempotent_id('3b525c29-b657-493f-aa41-b17676a95fd2')
    @tc.attr(base.TAG_NEGATIVE, base.TAG_API_WITH_BACKEND)
    def test_try_reset_share_state_with_member(self):
-        # Even if member from another tenant, it should be unauthorized
-        self.assertRaises(lib_exc.Forbidden,
+        # NOTE(gouthamr): The client used below is of a member from another
+        # project. As a fix to bug #1901210, the server responds with
+        # 404 instead of 403, but we'll test for one of the two codes since
+        # the test could be running against a release without the fix.
+        self.assertRaises((lib_exc.Forbidden, lib_exc.NotFound),
                          self.member_client.reset_state,
                          self.share["id"])

--- a/manila_tempest_tests/tests/api/test_shares_actions_negative.py
+++ b/manila_tempest_tests/tests/api/test_shares_actions_negative.py
@ -340,8 +340,11 @@ class SharesActionsNegativeTest(base.BaseSharesMixedTest):
        share = self.create_share(share_type_id=self.share_type_id,
                                  cleanup_in_class=False)

-        # try soft delete the share
-        self.assertRaises(lib_exc.Forbidden,
+        # NOTE(gouthamr): The client used below is of a member from alt
+        # project. As a fix to bug #1901210, the server responds with
+        # 404 instead of 403, but we'll test for one of the two codes since
+        # the test could be running against a release without the fix.
+        self.assertRaises((lib_exc.Forbidden, lib_exc.NotFound),
                          self.alt_shares_v2_client.soft_delete_share,
                          share['id'])