From 5af7cb48f33a4ce83d43ce9e37484e262f43b22e Mon Sep 17 00:00:00 2001
From: lkuchlan <lkuchlan@redhat.com>
Date: Tue, 14 Jul 2020 18:05:09 +0300
Subject: [PATCH] Verify applying a new cephx rule after a previous failure

This test will create a share and will then assign an access rule
that will fall into the error status and will then create another
access rule on the share.
The test will then verify that the second access rule was applied
successfully.

This patch also refactors "test_different_tenants_cannot_use_same_cephx_id"
to use raise_rule_in_error_state=False.

Added: "allow_access" helper method the grants an access to a
share and deletes it at the end of the test.

Change-Id: If9ffab7fcf37fab77bb4c9fd1863a0316f0a370d
---
 .../services/share/json/shares_client.py      |  5 +-
 manila_tempest_tests/tests/api/base.py        | 22 +++++++-
 .../tests/api/test_rules_negative.py          | 54 ++++++++++++++-----
 3 files changed, 66 insertions(+), 15 deletions(-)

diff --git a/manila_tempest_tests/services/share/json/shares_client.py b/manila_tempest_tests/services/share/json/shares_client.py
index b2eabb4b..150c1e02 100644
--- a/manila_tempest_tests/services/share/json/shares_client.py
+++ b/manila_tempest_tests/services/share/json/shares_client.py
@@ -262,7 +262,8 @@ class SharesClient(rest_client.RestClient):
                            (snapshot_name, status, self.build_timeout))
                 raise exceptions.TimeoutException(message)
 
-    def wait_for_access_rule_status(self, share_id, rule_id, status):
+    def wait_for_access_rule_status(self, share_id, rule_id, status,
+                                    raise_rule_in_error_state=True):
         """Waits for an access rule to reach a given status."""
         rule_status = "new"
         start = int(time.time())
@@ -273,7 +274,7 @@ class SharesClient(rest_client.RestClient):
                 if rule["id"] in rule_id:
                     rule_status = rule['state']
                     break
-            if 'error' in rule_status:
+            if 'error' in rule_status and raise_rule_in_error_state:
                 raise share_exceptions.AccessRuleBuildErrorException(
                     rule_id=rule_id)
 
diff --git a/manila_tempest_tests/tests/api/base.py b/manila_tempest_tests/tests/api/base.py
index 7915eaf3..8b01cefe 100755
--- a/manila_tempest_tests/tests/api/base.py
+++ b/manila_tempest_tests/tests/api/base.py
@@ -738,7 +738,8 @@ class BaseSharesTest(test.BaseTestCase):
             access_to = "client3.com"
         elif protocol in CONF.share.enable_cephx_rules_for_protocols:
             access_type = "cephx"
-            access_to = "eve"
+            access_to = data_utils.rand_name(
+                cls.__class__.__name__ + '-cephx-id')
         else:
             message = "Unrecognized protocol and access rules configuration."
             raise cls.skipException(message)
@@ -1082,6 +1083,25 @@ class BaseSharesTest(test.BaseTestCase):
         self.shares_v2_client.wait_for_share_status(share['id'], "error")
         return self.shares_v2_client.wait_for_message(share['id'])
 
+    def allow_access(self, share_id, client=None, access_type=None,
+                     access_level='rw', access_to=None, status='active',
+                     raise_rule_in_error_state=True, cleanup=True):
+
+        client = client or self.shares_v2_client
+        a_type, a_to = self._get_access_rule_data_from_config()
+        access_type = access_type or a_type
+        access_to = access_to or a_to
+
+        rule = client.create_access_rule(share_id, access_type, access_to,
+                                         access_level)
+        client.wait_for_access_rule_status(share_id, rule['id'], status,
+                                           raise_rule_in_error_state)
+        if cleanup:
+            self.addCleanup(client.wait_for_resource_deletion,
+                            rule_id=rule['id'], share_id=share_id)
+            self.addCleanup(client.delete_access_rule, share_id, rule['id'])
+        return rule
+
 
 class BaseSharesAltTest(BaseSharesTest):
     """Base test case class for all Shares Alt API tests."""
diff --git a/manila_tempest_tests/tests/api/test_rules_negative.py b/manila_tempest_tests/tests/api/test_rules_negative.py
index 0fb629eb..2f33ee16 100644
--- a/manila_tempest_tests/tests/api/test_rules_negative.py
+++ b/manila_tempest_tests/tests/api/test_rules_negative.py
@@ -20,7 +20,6 @@ import testtools
 from testtools import testcase as tc
 
 from manila_tempest_tests.common import constants
-from manila_tempest_tests import share_exceptions
 from manila_tempest_tests.tests.api import base
 from manila_tempest_tests import utils
 
@@ -389,10 +388,7 @@ class ShareCephxRulesForCephFSNegativeTest(base.BaseSharesMixedTest):
     @tc.attr(base.TAG_NEGATIVE, base.TAG_API_WITH_BACKEND)
     def test_different_tenants_cannot_use_same_cephx_id(self):
         # Grant access to the share
-        access1 = self.shares_v2_client.create_access_rule(
-            self.share['id'], self.access_type, self.access_to, 'rw')
-        self.shares_v2_client.wait_for_access_rule_status(
-            self.share['id'], access1['id'], 'active')
+        self.allow_access(self.share['id'], access_to=self.access_to)
 
         # Create second share by the new user
         share2 = self.create_share(client=self.alt_shares_v2_client,
@@ -400,13 +396,47 @@ class ShareCephxRulesForCephFSNegativeTest(base.BaseSharesMixedTest):
                                    share_type_id=self.share_type_id)
 
         # Try grant access to the second share using the same cephx id as used
-        # on the first share
-        access2 = self.alt_shares_v2_client.create_access_rule(
-            share2['id'], self.access_type, self.access_to, 'rw')
-        self.assertRaises(
-            share_exceptions.AccessRuleBuildErrorException,
-            self.alt_shares_v2_client.wait_for_access_rule_status,
-            share2['id'], access2['id'], 'active')
+        # on the first share.
+        # Rule must be set to "error" status.
+        self.allow_access(share2['id'], client=self.alt_shares_v2_client,
+                          access_to=self.access_to, status='error',
+                          raise_rule_in_error_state=False)
+
+        share_alt_updated = self.alt_shares_v2_client.get_share(
+            share2['id'])
+        self.assertEqual('error', share_alt_updated['access_rules_status'])
+
+    @tc.attr(base.TAG_NEGATIVE, base.TAG_API)
+    def test_can_apply_new_cephx_rules_when_one_is_in_error_state(self):
+        # Create share on "primary" tenant
+        share_primary = self.create_share()
+        # Add access rule to "Joe" by "primary" user
+        self.allow_access(share_primary['id'], access_to='Joe')
+
+        # Create share on "alt" tenant
+        share_alt = self.create_share(client=self.alt_shares_v2_client)
+        # Add access rule to "Joe" by "alt" user.
+        # Rule must be set to "error" status.
+        rule1 = self.allow_access(share_alt['id'],
+                                  client=self.alt_shares_v2_client,
+                                  access_to='Joe',
+                                  status='error',
+                                  raise_rule_in_error_state=False,
+                                  cleanup=False)
+
+        # Share's "access_rules_status" must be in "error" status
+        share_alt_updated = self.alt_shares_v2_client.get_share(
+            share_alt['id'])
+        self.assertEqual('error', share_alt_updated['access_rules_status'])
+
+        # Add second access rule to different client by "alt" user.
+        self.allow_access(share_alt['id'], client=self.alt_shares_v2_client)
+
+        # Check share's access_rules_status has transitioned to "active" status
+        self.alt_shares_v2_client.delete_access_rule(
+            share_alt['id'], rule1['id'])
+        self.alt_shares_v2_client.wait_for_share_status(
+            share_alt['id'], 'active', status_attr='access_rules_status')
 
 
 @ddt.ddt