Fix flavor_rxtx_rbac

Updates flavor_rxtx to more thoroughly test policy enforcement by - making use of RbacMalformedResponse to ensure rxtx_factor is included in response body - adding new flavor_rxtx tests Currently, POST /flavors is not tested as that action also enforces os-flavor-manage: create, which is admin-only by default and would therefore fail due to conflicting policy restrictions. This test will be added once multi-policy support is available. Change-Id: I7fb35212fc6bb817a2b04077c983865e1191f214 Closes-Bug: #1712725
2017-08-25 14:21:49 -04:00 · 2017-08-25 14:21:49 -04:00 · bf58a7fe3a
parent 9db9a1b0cb
commit bf58a7fe3a
2 changed files with 30 additions and 4 deletions
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
@ -13,12 +13,17 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from oslo_config import cfg
+
 from tempest.lib import decorators
 from tempest import test

+from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
 from patrole_tempest_plugin.tests.api.compute import rbac_base

+CONF = cfg.CONF
+

 class FlavorRxtxRbacTest(rbac_base.BaseV2ComputeRbacTest):

@ -29,11 +34,27 @@ class FlavorRxtxRbacTest(rbac_base.BaseV2ComputeRbacTest):
            msg = "os-flavor-rxtx extension not enabled."
            raise cls.skipException(msg)

-    @decorators.idempotent_id('0278677c-6e69-4293-a387-b485781e61a1')
+    @decorators.idempotent_id('5e1fd9f0-9a08-485a-ad9c-0fc66e4d64b7')
    @rbac_rule_validation.action(
        service="nova",
        rule="os_compute_api:os-flavor-rxtx")
-    def test_create_flavor_rxtx(self):
+    def test_list_flavors_details_rxtx(self):
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-        # Enforces os_compute_api:os-flavor-rxtx.
-        self.flavors_client.list_flavors(detail=True)['flavors']
+        # Enforces os_compute_api:os-flavor-rxtx
+        result = self.flavors_client.list_flavors(detail=True)['flavors']
+        if 'rxtx_factor' not in result[0]:
+            raise rbac_exceptions.RbacMalformedResponse(
+                attribute='rxtx_factor')
+
+    @decorators.idempotent_id('70c55a07-c843-4627-a29d-ba78673c1e63')
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-flavor-rxtx")
+    def test_get_flavor_rxtx(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        # Enforces os_compute_api:os-flavor-rxtx
+        result =\
+            self.flavors_client.show_flavor(CONF.compute.flavor_ref)['flavor']
+        if 'rxtx_factor' not in result:
+            raise rbac_exceptions.RbacMalformedResponse(
+                attribute='rxtx_factor')
--- a/releasenotes/notes/flavor-rxtx-d7aadbb32a9f232c.yaml
+++ b/releasenotes/notes/flavor-rxtx-d7aadbb32a9f232c.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    test_flavor_rxtx_rbac now offers complete
+    coverage for the os-flavor-rxtx policy.