RBAC tests for os-extended-volumes policies
This commit adds RBAC tests for os-extended-volumes policies, the documentation for which can be found here: https://github.com/openstack/nova/blob/master/nova/policies/extended_volumes.py Tests for both APIs that enforce each policy were added. Change-Id: I6669f420743a3fee6470a7bb4ca5f1353a0e9696 Implements: blueprint rbac-tests-for-compute-extended-volumes Depends-On: I1c14646dc8d102cd093be09833c23846781e5e73
This commit is contained in:
parent
d6bde60965
commit
3983d13210
|
@ -42,6 +42,8 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
Only applies to:
|
Only applies to:
|
||||||
* policy "families" that require server creation
|
* policy "families" that require server creation
|
||||||
* small policy "families" -- i.e. containing one to three policies
|
* small policy "families" -- i.e. containing one to three policies
|
||||||
|
|
||||||
|
Tests are ordered by policy name.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
credentials = ['primary', 'admin']
|
credentials = ['primary', 'admin']
|
||||||
|
@ -167,41 +169,36 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
# Force-deleting a server enforces os-deferred-delete.
|
# Force-deleting a server enforces os-deferred-delete.
|
||||||
self.servers_client.force_delete_server(self.server['id'])
|
self.servers_client.force_delete_server(self.server['id'])
|
||||||
|
|
||||||
@test.requires_ext(extension='os-instance-actions', service='compute')
|
@decorators.idempotent_id('d873740a-7b10-40a9-943d-7cc18115370e')
|
||||||
@decorators.idempotent_id('9d1b131d-407e-4fa3-8eef-eb2c4526f1da')
|
@test.requires_ext(extension='OS-EXT-AZ', service='compute')
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rule="os_compute_api:os-instance-actions")
|
rule="os_compute_api:os-extended-availability-zone")
|
||||||
def test_list_instance_actions(self):
|
def test_list_servers_with_details_extended_availability_zone(self):
|
||||||
"""Test list instance actions, part of os-instance-actions."""
|
"""Test list servers OS-EXT-AZ:availability_zone attr in resp body."""
|
||||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
expected_attr = 'OS-EXT-AZ:availability_zone'
|
||||||
self.servers_client.list_instance_actions(self.server['id'])
|
|
||||||
|
|
||||||
@test.requires_ext(extension='os-instance-actions', service='compute')
|
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||||
@decorators.idempotent_id('eb04c439-4215-4029-9ccb-5b3c041bfc25')
|
body = self.servers_client.list_servers(detail=True)['servers']
|
||||||
|
# If the first server contains `expected_attr`, then all the others do.
|
||||||
|
if expected_attr not in body[0]:
|
||||||
|
raise rbac_exceptions.RbacMalformedResponse(
|
||||||
|
attribute=expected_attr)
|
||||||
|
|
||||||
|
@decorators.idempotent_id('727e5360-770a-4b9c-8015-513a40216635')
|
||||||
|
@test.requires_ext(extension='OS-EXT-AZ', service='compute')
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rule="os_compute_api:os-instance-actions:events")
|
rule="os_compute_api:os-extended-availability-zone")
|
||||||
def test_show_instance_action(self):
|
def test_show_server_extended_availability_zone(self):
|
||||||
"""Test show instance action, part of os-instance-actions.
|
"""Test show server OS-EXT-AZ:availability_zone attr in resp body."""
|
||||||
|
expected_attr = 'OS-EXT-AZ:availability_zone'
|
||||||
Expect "events" details to be included in the response body.
|
|
||||||
"""
|
|
||||||
# NOTE: "os_compute_api:os-instance-actions" is also enforced.
|
|
||||||
request_id = self.server.response['x-compute-request-id']
|
|
||||||
|
|
||||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||||
instance_action = self.servers_client.show_instance_action(
|
body = self.servers_client.show_server(self.server['id'])['server']
|
||||||
self.server['id'], request_id)['instanceAction']
|
if expected_attr not in body:
|
||||||
|
|
||||||
if 'events' not in instance_action:
|
|
||||||
raise rbac_exceptions.RbacMalformedResponse(
|
raise rbac_exceptions.RbacMalformedResponse(
|
||||||
attribute='events')
|
attribute=expected_attr)
|
||||||
# Microversion 2.51+ returns 'events' always, but not 'traceback'. If
|
|
||||||
# 'traceback' is also present then policy enforcement passed.
|
|
||||||
if 'traceback' not in instance_action['events'][0]:
|
|
||||||
raise rbac_exceptions.RbacMalformedResponse(
|
|
||||||
attribute='events.traceback')
|
|
||||||
|
|
||||||
@decorators.idempotent_id('82053c27-3134-4003-9b55-bc9fafdb0e3b')
|
@decorators.idempotent_id('82053c27-3134-4003-9b55-bc9fafdb0e3b')
|
||||||
@test.requires_ext(extension='OS-EXT-STS', service='compute')
|
@test.requires_ext(extension='OS-EXT-STS', service='compute')
|
||||||
|
@ -237,30 +234,33 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
raise rbac_exceptions.RbacMalformedResponse(
|
raise rbac_exceptions.RbacMalformedResponse(
|
||||||
attribute=attr)
|
attribute=attr)
|
||||||
|
|
||||||
@decorators.idempotent_id('d873740a-7b10-40a9-943d-7cc18115370e')
|
@decorators.idempotent_id('21e39cbe-6c32-48fc-80dd-3e1fece6053f')
|
||||||
@test.requires_ext(extension='OS-EXT-AZ', service='compute')
|
@test.requires_ext(extension='os-extended-volumes', service='compute')
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rule="os_compute_api:os-extended-availability-zone")
|
rule="os_compute_api:os-extended-volumes")
|
||||||
def test_list_servers_with_details_extended_availability_zone(self):
|
def test_list_servers_with_details_extended_volumes(self):
|
||||||
"""Test list servers OS-EXT-AZ:availability_zone attr in resp body."""
|
"""Test list servers os-extended-volumes:volumes_attached attr in resp
|
||||||
expected_attr = 'OS-EXT-AZ:availability_zone'
|
body.
|
||||||
|
"""
|
||||||
|
expected_attr = 'os-extended-volumes:volumes_attached'
|
||||||
|
|
||||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||||
body = self.servers_client.list_servers(detail=True)['servers']
|
body = self.servers_client.list_servers(detail=True)['servers']
|
||||||
# If the first server contains `expected_attr`, then all the others do.
|
|
||||||
if expected_attr not in body[0]:
|
if expected_attr not in body[0]:
|
||||||
raise rbac_exceptions.RbacMalformedResponse(
|
raise rbac_exceptions.RbacMalformedResponse(
|
||||||
attribute=expected_attr)
|
attribute=expected_attr)
|
||||||
|
|
||||||
@decorators.idempotent_id('727e5360-770a-4b9c-8015-513a40216635')
|
@decorators.idempotent_id('7f163708-0d25-4138-8512-dfdd72a92989')
|
||||||
@test.requires_ext(extension='OS-EXT-AZ', service='compute')
|
@test.requires_ext(extension='os-extended-volumes', service='compute')
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rule="os_compute_api:os-extended-availability-zone")
|
rule="os_compute_api:os-extended-volumes")
|
||||||
def test_show_server_extended_availability_zone(self):
|
def test_show_server_extended_volumes(self):
|
||||||
"""Test show server OS-EXT-AZ:availability_zone attr in resp body."""
|
"""Test show server os-extended-volumes:volumes_attached attr in resp
|
||||||
expected_attr = 'OS-EXT-AZ:availability_zone'
|
body.
|
||||||
|
"""
|
||||||
|
expected_attr = 'os-extended-volumes:volumes_attached'
|
||||||
|
|
||||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||||
body = self.servers_client.show_server(self.server['id'])['server']
|
body = self.servers_client.show_server(self.server['id'])['server']
|
||||||
|
@ -268,6 +268,42 @@ class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
|
||||||
raise rbac_exceptions.RbacMalformedResponse(
|
raise rbac_exceptions.RbacMalformedResponse(
|
||||||
attribute=expected_attr)
|
attribute=expected_attr)
|
||||||
|
|
||||||
|
@test.requires_ext(extension='os-instance-actions', service='compute')
|
||||||
|
@decorators.idempotent_id('9d1b131d-407e-4fa3-8eef-eb2c4526f1da')
|
||||||
|
@rbac_rule_validation.action(
|
||||||
|
service="nova",
|
||||||
|
rule="os_compute_api:os-instance-actions")
|
||||||
|
def test_list_instance_actions(self):
|
||||||
|
"""Test list instance actions, part of os-instance-actions."""
|
||||||
|
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||||
|
self.servers_client.list_instance_actions(self.server['id'])
|
||||||
|
|
||||||
|
@test.requires_ext(extension='os-instance-actions', service='compute')
|
||||||
|
@decorators.idempotent_id('eb04c439-4215-4029-9ccb-5b3c041bfc25')
|
||||||
|
@rbac_rule_validation.action(
|
||||||
|
service="nova",
|
||||||
|
rule="os_compute_api:os-instance-actions:events")
|
||||||
|
def test_show_instance_action(self):
|
||||||
|
"""Test show instance action, part of os-instance-actions.
|
||||||
|
|
||||||
|
Expect "events" details to be included in the response body.
|
||||||
|
"""
|
||||||
|
# NOTE: "os_compute_api:os-instance-actions" is also enforced.
|
||||||
|
request_id = self.server.response['x-compute-request-id']
|
||||||
|
|
||||||
|
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||||
|
instance_action = self.servers_client.show_instance_action(
|
||||||
|
self.server['id'], request_id)['instanceAction']
|
||||||
|
|
||||||
|
if 'events' not in instance_action:
|
||||||
|
raise rbac_exceptions.RbacMalformedResponse(
|
||||||
|
attribute='events')
|
||||||
|
# Microversion 2.51+ returns 'events' always, but not 'traceback'. If
|
||||||
|
# 'traceback' is also present then policy enforcement passed.
|
||||||
|
if 'traceback' not in instance_action['events'][0]:
|
||||||
|
raise rbac_exceptions.RbacMalformedResponse(
|
||||||
|
attribute='events.traceback')
|
||||||
|
|
||||||
@rbac_rule_validation.action(
|
@rbac_rule_validation.action(
|
||||||
service="nova",
|
service="nova",
|
||||||
rule="os_compute_api:os-lock-server:lock")
|
rule="os_compute_api:os-lock-server:lock")
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Add RBAC tests for os-extended-volumes:volumes_attached policies, which
|
||||||
|
validate that "os-extended-volumes:volumes_attached" is returned in the
|
||||||
|
response body.
|
Loading…
Reference in New Issue