diff --git a/.zuul.yaml b/.zuul.yaml index 2e99198a..2c3c5327 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -65,6 +65,7 @@ - quota_details - rbac-policies - rbac-security-groups + - rbac-subnetpool - router - router-admin-state-down-before-update - router_availability_zone diff --git a/neutron_tempest_plugin/api/test_subnetpools.py b/neutron_tempest_plugin/api/test_subnetpools.py index 9d927cfe..38c721fd 100644 --- a/neutron_tempest_plugin/api/test_subnetpools.py +++ b/neutron_tempest_plugin/api/test_subnetpools.py @@ -12,10 +12,12 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +import testtools from tempest.common import utils from tempest.lib.common.utils import data_utils from tempest.lib import decorators +from tempest.lib import exceptions as lib_exc from neutron_tempest_plugin.api import base @@ -418,3 +420,171 @@ class SubnetPoolsSearchCriteriaTest(base.BaseSearchCriteriaTest, self._test_list_validation_filters(self.list_kwargs) self._test_list_validation_filters({ 'unknown_filter': 'value'}, filter_is_valid=False) + + +class RbacSubnetPoolTest(SubnetPoolsTestBase): + + force_tenant_isolation = True + credentials = ['primary', 'alt', 'admin'] + required_extensions = ['rbac-subnetpool'] + + @classmethod + def resource_setup(cls): + super(RbacSubnetPoolTest, cls).resource_setup() + cls.client2 = cls.os_alt.network_client + + def _make_admin_snp_shared_to_project_id(self, project_id): + snp = self._create_subnetpool(is_admin=True) + rbac_policy = self.admin_client.create_rbac_policy( + object_type='subnetpool', + object_id=snp['id'], + action='access_as_shared', + target_tenant=project_id, + )['rbac_policy'] + return {'subnetpool': snp, 'rbac_policy': rbac_policy} + + @decorators.idempotent_id('71b35ad0-51cd-40da-985d-89a51c95ec6a') + def test_policy_target_update(self): + res = self._make_admin_snp_shared_to_project_id( + self.client.tenant_id) + # change to client2 + update_res = self.admin_client.update_rbac_policy( + res['rbac_policy']['id'], target_tenant=self.client2.tenant_id) + self.assertEqual(self.client2.tenant_id, + update_res['rbac_policy']['target_tenant']) + # make sure everything else stayed the same + res['rbac_policy'].pop('target_tenant') + update_res['rbac_policy'].pop('target_tenant') + self.assertEqual(res['rbac_policy'], update_res['rbac_policy']) + + @decorators.idempotent_id('451d9d38-65a0-4916-a805-1460d6a938d1') + def test_subnet_presence_prevents_rbac_policy_deletion(self): + res = self._make_admin_snp_shared_to_project_id( + self.client2.tenant_id) + network = self.create_network(client=self.client2) + subnet = self.client2.create_subnet( + network_id=network['id'], + ip_version=4, + subnetpool_id=res['subnetpool']['id'], + name=data_utils.rand_name("rbac-subnetpool"), + )["subnet"] + self.addCleanup(self.client2.delete_network, network['id']) + self.addCleanup( + self.admin_client.delete_subnetpool, + res['subnetpool']['id'] + ) + self.addCleanup(self.client2.delete_subnet, subnet['id']) + + # a port with shared sg should prevent the deletion of an + # rbac-policy required for it to be shared + with testtools.ExpectedException(lib_exc.Conflict): + self.admin_client.delete_rbac_policy(res['rbac_policy']['id']) + + @decorators.idempotent_id('f74a71de-9abf-49c6-8199-4ac7f53e383b') + @utils.requires_ext(extension='rbac-address-scope', service='network') + def test_cannot_share_if_no_access_to_address_scope(self): + # Create Address Scope shared only to client but not to client2 + a_s = self.admin_client.create_address_scope( + name=data_utils.rand_name("rbac-subnetpool"), + ip_version=4 + )["address_scope"] + rbac_policy = self.admin_client.create_rbac_policy( + object_type='address_scope', object_id=a_s['id'], + action='access_as_shared', + target_tenant=self.client.tenant_id)['rbac_policy'] + + # Create subnet pool owned by client with shared AS + snp = self._create_subnetpool(address_scope_id=a_s["id"]) + + with testtools.ExpectedException(lib_exc.BadRequest): + self.client.create_rbac_policy( + object_type='subnetpool', object_id=snp['id'], + action='access_as_shared', + target_tenant=self.client2.tenant_id + ) + + # cleanup + self.client.delete_subnetpool(snp["id"]) + self.admin_client.delete_rbac_policy(rbac_policy['id']) + self.admin_client.delete_address_scope(a_s['id']) + + @decorators.idempotent_id('9cf8bba5-0163-4083-9397-678bb9b5f5a2') + def test_regular_client_shares_to_another_regular_client(self): + # owned by self.admin_client + snp = self._create_subnetpool(is_admin=True) + with testtools.ExpectedException(lib_exc.NotFound): + self.client.show_subnetpool(snp['id']) + rbac_policy = self.admin_client.create_rbac_policy( + object_type='subnetpool', object_id=snp['id'], + action='access_as_shared', + target_tenant=self.client.tenant_id)['rbac_policy'] + self.client.show_subnetpool(snp['id']) + + self.assertIn(rbac_policy, + self.admin_client.list_rbac_policies()['rbac_policies']) + # ensure that 'client2' can't see the rbac-policy sharing the + # as to it because the rbac-policy belongs to 'client' + self.assertNotIn(rbac_policy['id'], [p['id'] for p in + self.client2.list_rbac_policies()['rbac_policies']]) + + @decorators.idempotent_id('17b2b437-a5fa-4340-ad98-912a986d0d7c') + def test_filter_fields(self): + snp = self._create_subnetpool() + self.admin_client.create_rbac_policy( + object_type='subnetpool', object_id=snp['id'], + action='access_as_shared', target_tenant=self.client2.tenant_id) + field_args = (('id',), ('id', 'action'), ('object_type', 'object_id'), + ('project_id', 'target_tenant')) + for fields in field_args: + res = self.admin_client.list_rbac_policies(fields=fields) + self.assertEqual(set(fields), set(res['rbac_policies'][0].keys())) + + @decorators.idempotent_id('e59e4502-4e6a-4e49-b446-a5d5642bbd69') + def test_rbac_policy_show(self): + res = self._make_admin_snp_shared_to_project_id( + self.client.tenant_id) + p1 = res['rbac_policy'] + p2 = self.admin_client.create_rbac_policy( + object_type='subnetpool', + object_id=res['subnetpool']['id'], + action='access_as_shared', + target_tenant='*')['rbac_policy'] + + self.assertEqual( + p1, self.admin_client.show_rbac_policy(p1['id'])['rbac_policy']) + self.assertEqual( + p2, self.admin_client.show_rbac_policy(p2['id'])['rbac_policy']) + + @decorators.idempotent_id('1c24c28c-eb1e-466e-af29-255cf127653a') + def test_filter_rbac_policies(self): + snp = self._create_subnetpool() + rbac_pol1 = self.admin_client.create_rbac_policy( + object_type='subnetpool', object_id=snp['id'], + action='access_as_shared', + target_tenant=self.client2.tenant_id)['rbac_policy'] + rbac_pol2 = self.admin_client.create_rbac_policy( + object_type='subnetpool', object_id=snp['id'], + action='access_as_shared', + target_tenant=self.admin_client.tenant_id)['rbac_policy'] + res1 = self.admin_client.list_rbac_policies(id=rbac_pol1['id'])[ + 'rbac_policies'] + res2 = self.admin_client.list_rbac_policies(id=rbac_pol2['id'])[ + 'rbac_policies'] + self.assertEqual(1, len(res1)) + self.assertEqual(1, len(res2)) + self.assertEqual(rbac_pol1['id'], res1[0]['id']) + self.assertEqual(rbac_pol2['id'], res2[0]['id']) + + @decorators.idempotent_id('63d9acbe-403c-4e77-9ffd-80e636a4621e') + def test_regular_client_blocked_from_sharing_anothers_policy(self): + snp = self._make_admin_snp_shared_to_project_id( + self.client.tenant_id)['subnetpool'] + with testtools.ExpectedException(lib_exc.BadRequest): + self.client.create_rbac_policy( + object_type='subnetpool', object_id=snp['id'], + action='access_as_shared', + target_tenant=self.client2.tenant_id) + + # make sure the rbac-policy is invisible to the tenant for which it's + # being shared + self.assertFalse(self.client.list_rbac_policies()['rbac_policies'])