diff --git a/contrib/tempest/tempest/api/share/test_rules.py b/contrib/tempest/tempest/api/share/test_rules.py index 4bfc7fa1bc..da7521ffaf 100644 --- a/contrib/tempest/tempest/api/share/test_rules.py +++ b/contrib/tempest/tempest/api/share/test_rules.py @@ -148,6 +148,49 @@ class ShareUserRulesForCIFSTest(ShareUserRulesForNFSTest): _create_delete_ro_access_rule(self) +class ShareCertRulesForGLUSTERFSTest(base.BaseSharesTest): + protocol = "glusterfs" + + @classmethod + def resource_setup(cls): + super(ShareCertRulesForGLUSTERFSTest, cls).resource_setup() + if (cls.protocol not in CONF.share.enable_protocols or + cls.protocol not in + CONF.share.enable_cert_rules_for_protocols): + msg = "Cert rule tests for %s protocol are disabled" % cls.protocol + raise cls.skipException(msg) + cls.share = cls.create_share(cls.protocol) + cls.access_type = "cert" + # Provide access to a client identified by a common name (CN) of the + # certificate that it possesses. + cls.access_to = "client1.com" + + @test.attr(type=["gate", ]) + def test_create_delete_cert_rule(self): + + # create rule + rule = self.shares_client.create_access_rule( + self.share["id"], self.access_type, self.access_to) + self.assertEqual('rw', rule['access_level']) + self.shares_client.wait_for_access_rule_status( + self.share["id"], rule["id"], "active") + + # delete rule + self.shares_client.delete_access_rule(self.share["id"], rule["id"]) + + @test.attr(type=["gate", ]) + @testtools.skipIf( + "glusterfs" not in CONF.share.enable_ro_access_level_for_protocols, + "RO access rule tests are disabled for GLUSTERFS protocol.") + def test_create_delete_cert_ro_access_rule(self): + rule = self.shares_client.create_access_rule( + self.share["id"], 'cert', 'client2.com', 'ro') + self.assertEqual('ro', rule['access_level']) + self.shares_client.wait_for_access_rule_status( + self.share["id"], rule["id"], "active") + self.shares_client.delete_access_rule(self.share["id"], rule["id"]) + + class ShareRulesTest(base.BaseSharesTest): @classmethod @@ -156,6 +199,8 @@ class ShareRulesTest(base.BaseSharesTest): if not (any(p in CONF.share.enable_ip_rules_for_protocols for p in cls.protocols) or any(p in CONF.share.enable_user_rules_for_protocols + for p in cls.protocols) or + any(p in CONF.share.enable_cert_rules_for_protocols for p in cls.protocols)): cls.message = "Rule tests are disabled" raise cls.skipException(cls.message) @@ -174,6 +219,10 @@ class ShareRulesTest(base.BaseSharesTest): self.access_type = "user" self.access_to = CONF.share.username_for_user_rules protocol = CONF.share.enable_user_rules_for_protocols[0] + elif CONF.share.enable_cert_rules_for_protocols: + self.access_type = "cert" + self.access_to = "client3.com" + protocol = CONF.share.enable_cert_rules_for_protocols[0] else: raise self.skipException(self.message) self.shares_client.protocol = protocol diff --git a/contrib/tempest/tempest/api/share/test_rules_negative.py b/contrib/tempest/tempest/api/share/test_rules_negative.py index 148b603ac0..c9579ff71d 100644 --- a/contrib/tempest/tempest/api/share/test_rules_negative.py +++ b/contrib/tempest/tempest/api/share/test_rules_negative.py @@ -198,6 +198,60 @@ class ShareUserRulesForCIFSNegativeTest(ShareUserRulesForNFSNegativeTest): protocol = "cifs" +class ShareCertRulesForGLUSTERFSNegativeTest(base.BaseSharesTest): + protocol = "glusterfs" + + @classmethod + def resource_setup(cls): + super(ShareCertRulesForGLUSTERFSNegativeTest, cls).resource_setup() + if not (cls.protocol in CONF.share.enable_protocols and + cls.protocol in CONF.share.enable_cert_rules_for_protocols): + msg = "CERT rule tests for %s protocol are disabled" % cls.protocol + raise cls.skipException(msg) + # create share + cls.share = cls.create_share(cls.protocol) + if CONF.share.run_snapshot_tests: + # create snapshot + cls.snap = cls.create_snapshot_wait_for_active(cls.share["id"]) + + @test.attr(type=["negative", "gate", ]) + def test_create_access_rule_cert_with_empty_common_name(self): + self.assertRaises(lib_exc.BadRequest, + self.shares_client.create_access_rule, + self.share["id"], "cert", "") + + @test.attr(type=["negative", "gate", ]) + def test_create_access_rule_cert_with_whitespace_common_name(self): + self.assertRaises(lib_exc.BadRequest, + self.shares_client.create_access_rule, + self.share["id"], "cert", " ") + + @test.attr(type=["negative", "gate", ]) + def test_create_access_rule_cert_with_too_big_common_name(self): + # common name cannot be more than 64 characters long + self.assertRaises(lib_exc.BadRequest, + self.shares_client.create_access_rule, + self.share["id"], "cert", "a" * 65) + + @test.attr(type=["negative", "gate", ]) + @testtools.skipUnless(CONF.share.run_snapshot_tests, + "Snapshot tests are disabled.") + def test_create_access_rule_cert_to_snapshot(self): + self.assertRaises(lib_exc.NotFound, + self.shares_client.create_access_rule, + self.snap["id"], + access_type="cert", + access_to="fakeclient1.com") + + @test.attr(type=["negative", "gate", ]) + def test_create_access_rule_cert_with_wrong_share_id(self): + self.assertRaises(lib_exc.NotFound, + self.shares_client.create_access_rule, + "wrong_share_id", + access_type="cert", + access_to="fakeclient2.com") + + class ShareRulesNegativeTest(base.BaseSharesTest): # Tests independent from rule type and share protocol @@ -207,6 +261,8 @@ class ShareRulesNegativeTest(base.BaseSharesTest): if not (any(p in CONF.share.enable_ip_rules_for_protocols for p in cls.protocols) or any(p in CONF.share.enable_user_rules_for_protocols + for p in cls.protocols) or + any(p in CONF.share.enable_cert_rules_for_protocols for p in cls.protocols)): cls.message = "Rule tests are disabled" raise cls.skipException(cls.message) diff --git a/contrib/tempest/tempest/config_share.py b/contrib/tempest/tempest/config_share.py index 1b4e7f0ff0..3988613f47 100644 --- a/contrib/tempest/tempest/config_share.py +++ b/contrib/tempest/tempest/config_share.py @@ -62,6 +62,9 @@ ShareGroup = [ default=[], help="Selection of protocols, that should " "be covered with user rule tests"), + cfg.ListOpt("enable_cert_rules_for_protocols", + default=["glusterfs", ], + help="Protocols that should be covered with cert rule tests."), cfg.StrOpt("username_for_user_rules", default="Administrator", help="Username, that will be used in user tests."),