Add tempest api tests for subnet pools RBAC
Change-Id: Ie6e26acd5e9c3acd2ee86a9c354c4a2934aa4bce Partial-Bug: #1862032 Depends-On: https://review.opendev.org/#/c/710755/
This commit is contained in:
parent
89c38f4aba
commit
649c018b3e
|
@ -65,6 +65,7 @@
|
||||||
- quota_details
|
- quota_details
|
||||||
- rbac-policies
|
- rbac-policies
|
||||||
- rbac-security-groups
|
- rbac-security-groups
|
||||||
|
- rbac-subnetpool
|
||||||
- router
|
- router
|
||||||
- router-admin-state-down-before-update
|
- router-admin-state-down-before-update
|
||||||
- router_availability_zone
|
- router_availability_zone
|
||||||
|
|
|
@ -12,10 +12,12 @@
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
import testtools
|
||||||
|
|
||||||
from tempest.common import utils
|
from tempest.common import utils
|
||||||
from tempest.lib.common.utils import data_utils
|
from tempest.lib.common.utils import data_utils
|
||||||
from tempest.lib import decorators
|
from tempest.lib import decorators
|
||||||
|
from tempest.lib import exceptions as lib_exc
|
||||||
|
|
||||||
from neutron_tempest_plugin.api import base
|
from neutron_tempest_plugin.api import base
|
||||||
|
|
||||||
|
@ -418,3 +420,171 @@ class SubnetPoolsSearchCriteriaTest(base.BaseSearchCriteriaTest,
|
||||||
self._test_list_validation_filters(self.list_kwargs)
|
self._test_list_validation_filters(self.list_kwargs)
|
||||||
self._test_list_validation_filters({
|
self._test_list_validation_filters({
|
||||||
'unknown_filter': 'value'}, filter_is_valid=False)
|
'unknown_filter': 'value'}, filter_is_valid=False)
|
||||||
|
|
||||||
|
|
||||||
|
class RbacSubnetPoolTest(SubnetPoolsTestBase):
|
||||||
|
|
||||||
|
force_tenant_isolation = True
|
||||||
|
credentials = ['primary', 'alt', 'admin']
|
||||||
|
required_extensions = ['rbac-subnetpool']
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def resource_setup(cls):
|
||||||
|
super(RbacSubnetPoolTest, cls).resource_setup()
|
||||||
|
cls.client2 = cls.os_alt.network_client
|
||||||
|
|
||||||
|
def _make_admin_snp_shared_to_project_id(self, project_id):
|
||||||
|
snp = self._create_subnetpool(is_admin=True)
|
||||||
|
rbac_policy = self.admin_client.create_rbac_policy(
|
||||||
|
object_type='subnetpool',
|
||||||
|
object_id=snp['id'],
|
||||||
|
action='access_as_shared',
|
||||||
|
target_tenant=project_id,
|
||||||
|
)['rbac_policy']
|
||||||
|
return {'subnetpool': snp, 'rbac_policy': rbac_policy}
|
||||||
|
|
||||||
|
@decorators.idempotent_id('71b35ad0-51cd-40da-985d-89a51c95ec6a')
|
||||||
|
def test_policy_target_update(self):
|
||||||
|
res = self._make_admin_snp_shared_to_project_id(
|
||||||
|
self.client.tenant_id)
|
||||||
|
# change to client2
|
||||||
|
update_res = self.admin_client.update_rbac_policy(
|
||||||
|
res['rbac_policy']['id'], target_tenant=self.client2.tenant_id)
|
||||||
|
self.assertEqual(self.client2.tenant_id,
|
||||||
|
update_res['rbac_policy']['target_tenant'])
|
||||||
|
# make sure everything else stayed the same
|
||||||
|
res['rbac_policy'].pop('target_tenant')
|
||||||
|
update_res['rbac_policy'].pop('target_tenant')
|
||||||
|
self.assertEqual(res['rbac_policy'], update_res['rbac_policy'])
|
||||||
|
|
||||||
|
@decorators.idempotent_id('451d9d38-65a0-4916-a805-1460d6a938d1')
|
||||||
|
def test_subnet_presence_prevents_rbac_policy_deletion(self):
|
||||||
|
res = self._make_admin_snp_shared_to_project_id(
|
||||||
|
self.client2.tenant_id)
|
||||||
|
network = self.create_network(client=self.client2)
|
||||||
|
subnet = self.client2.create_subnet(
|
||||||
|
network_id=network['id'],
|
||||||
|
ip_version=4,
|
||||||
|
subnetpool_id=res['subnetpool']['id'],
|
||||||
|
name=data_utils.rand_name("rbac-subnetpool"),
|
||||||
|
)["subnet"]
|
||||||
|
self.addCleanup(self.client2.delete_network, network['id'])
|
||||||
|
self.addCleanup(
|
||||||
|
self.admin_client.delete_subnetpool,
|
||||||
|
res['subnetpool']['id']
|
||||||
|
)
|
||||||
|
self.addCleanup(self.client2.delete_subnet, subnet['id'])
|
||||||
|
|
||||||
|
# a port with shared sg should prevent the deletion of an
|
||||||
|
# rbac-policy required for it to be shared
|
||||||
|
with testtools.ExpectedException(lib_exc.Conflict):
|
||||||
|
self.admin_client.delete_rbac_policy(res['rbac_policy']['id'])
|
||||||
|
|
||||||
|
@decorators.idempotent_id('f74a71de-9abf-49c6-8199-4ac7f53e383b')
|
||||||
|
@utils.requires_ext(extension='rbac-address-scope', service='network')
|
||||||
|
def test_cannot_share_if_no_access_to_address_scope(self):
|
||||||
|
# Create Address Scope shared only to client but not to client2
|
||||||
|
a_s = self.admin_client.create_address_scope(
|
||||||
|
name=data_utils.rand_name("rbac-subnetpool"),
|
||||||
|
ip_version=4
|
||||||
|
)["address_scope"]
|
||||||
|
rbac_policy = self.admin_client.create_rbac_policy(
|
||||||
|
object_type='address_scope', object_id=a_s['id'],
|
||||||
|
action='access_as_shared',
|
||||||
|
target_tenant=self.client.tenant_id)['rbac_policy']
|
||||||
|
|
||||||
|
# Create subnet pool owned by client with shared AS
|
||||||
|
snp = self._create_subnetpool(address_scope_id=a_s["id"])
|
||||||
|
|
||||||
|
with testtools.ExpectedException(lib_exc.BadRequest):
|
||||||
|
self.client.create_rbac_policy(
|
||||||
|
object_type='subnetpool', object_id=snp['id'],
|
||||||
|
action='access_as_shared',
|
||||||
|
target_tenant=self.client2.tenant_id
|
||||||
|
)
|
||||||
|
|
||||||
|
# cleanup
|
||||||
|
self.client.delete_subnetpool(snp["id"])
|
||||||
|
self.admin_client.delete_rbac_policy(rbac_policy['id'])
|
||||||
|
self.admin_client.delete_address_scope(a_s['id'])
|
||||||
|
|
||||||
|
@decorators.idempotent_id('9cf8bba5-0163-4083-9397-678bb9b5f5a2')
|
||||||
|
def test_regular_client_shares_to_another_regular_client(self):
|
||||||
|
# owned by self.admin_client
|
||||||
|
snp = self._create_subnetpool(is_admin=True)
|
||||||
|
with testtools.ExpectedException(lib_exc.NotFound):
|
||||||
|
self.client.show_subnetpool(snp['id'])
|
||||||
|
rbac_policy = self.admin_client.create_rbac_policy(
|
||||||
|
object_type='subnetpool', object_id=snp['id'],
|
||||||
|
action='access_as_shared',
|
||||||
|
target_tenant=self.client.tenant_id)['rbac_policy']
|
||||||
|
self.client.show_subnetpool(snp['id'])
|
||||||
|
|
||||||
|
self.assertIn(rbac_policy,
|
||||||
|
self.admin_client.list_rbac_policies()['rbac_policies'])
|
||||||
|
# ensure that 'client2' can't see the rbac-policy sharing the
|
||||||
|
# as to it because the rbac-policy belongs to 'client'
|
||||||
|
self.assertNotIn(rbac_policy['id'], [p['id'] for p in
|
||||||
|
self.client2.list_rbac_policies()['rbac_policies']])
|
||||||
|
|
||||||
|
@decorators.idempotent_id('17b2b437-a5fa-4340-ad98-912a986d0d7c')
|
||||||
|
def test_filter_fields(self):
|
||||||
|
snp = self._create_subnetpool()
|
||||||
|
self.admin_client.create_rbac_policy(
|
||||||
|
object_type='subnetpool', object_id=snp['id'],
|
||||||
|
action='access_as_shared', target_tenant=self.client2.tenant_id)
|
||||||
|
field_args = (('id',), ('id', 'action'), ('object_type', 'object_id'),
|
||||||
|
('project_id', 'target_tenant'))
|
||||||
|
for fields in field_args:
|
||||||
|
res = self.admin_client.list_rbac_policies(fields=fields)
|
||||||
|
self.assertEqual(set(fields), set(res['rbac_policies'][0].keys()))
|
||||||
|
|
||||||
|
@decorators.idempotent_id('e59e4502-4e6a-4e49-b446-a5d5642bbd69')
|
||||||
|
def test_rbac_policy_show(self):
|
||||||
|
res = self._make_admin_snp_shared_to_project_id(
|
||||||
|
self.client.tenant_id)
|
||||||
|
p1 = res['rbac_policy']
|
||||||
|
p2 = self.admin_client.create_rbac_policy(
|
||||||
|
object_type='subnetpool',
|
||||||
|
object_id=res['subnetpool']['id'],
|
||||||
|
action='access_as_shared',
|
||||||
|
target_tenant='*')['rbac_policy']
|
||||||
|
|
||||||
|
self.assertEqual(
|
||||||
|
p1, self.admin_client.show_rbac_policy(p1['id'])['rbac_policy'])
|
||||||
|
self.assertEqual(
|
||||||
|
p2, self.admin_client.show_rbac_policy(p2['id'])['rbac_policy'])
|
||||||
|
|
||||||
|
@decorators.idempotent_id('1c24c28c-eb1e-466e-af29-255cf127653a')
|
||||||
|
def test_filter_rbac_policies(self):
|
||||||
|
snp = self._create_subnetpool()
|
||||||
|
rbac_pol1 = self.admin_client.create_rbac_policy(
|
||||||
|
object_type='subnetpool', object_id=snp['id'],
|
||||||
|
action='access_as_shared',
|
||||||
|
target_tenant=self.client2.tenant_id)['rbac_policy']
|
||||||
|
rbac_pol2 = self.admin_client.create_rbac_policy(
|
||||||
|
object_type='subnetpool', object_id=snp['id'],
|
||||||
|
action='access_as_shared',
|
||||||
|
target_tenant=self.admin_client.tenant_id)['rbac_policy']
|
||||||
|
res1 = self.admin_client.list_rbac_policies(id=rbac_pol1['id'])[
|
||||||
|
'rbac_policies']
|
||||||
|
res2 = self.admin_client.list_rbac_policies(id=rbac_pol2['id'])[
|
||||||
|
'rbac_policies']
|
||||||
|
self.assertEqual(1, len(res1))
|
||||||
|
self.assertEqual(1, len(res2))
|
||||||
|
self.assertEqual(rbac_pol1['id'], res1[0]['id'])
|
||||||
|
self.assertEqual(rbac_pol2['id'], res2[0]['id'])
|
||||||
|
|
||||||
|
@decorators.idempotent_id('63d9acbe-403c-4e77-9ffd-80e636a4621e')
|
||||||
|
def test_regular_client_blocked_from_sharing_anothers_policy(self):
|
||||||
|
snp = self._make_admin_snp_shared_to_project_id(
|
||||||
|
self.client.tenant_id)['subnetpool']
|
||||||
|
with testtools.ExpectedException(lib_exc.BadRequest):
|
||||||
|
self.client.create_rbac_policy(
|
||||||
|
object_type='subnetpool', object_id=snp['id'],
|
||||||
|
action='access_as_shared',
|
||||||
|
target_tenant=self.client2.tenant_id)
|
||||||
|
|
||||||
|
# make sure the rbac-policy is invisible to the tenant for which it's
|
||||||
|
# being shared
|
||||||
|
self.assertFalse(self.client.list_rbac_policies()['rbac_policies'])
|
||||||
|
|
Loading…
Reference in New Issue