openstack
/
patrole
Code Issues Proposed changes

Identity v3 RBAC Tests - EP Filter Groups 

This patch adds project-specific RBAC tests for the
identity v3 extension API: OS-EP-FILTER, providing
coverage for the following policy actions:

  * identity:create_endpoint_group
  * identity:list_endpoint_groups
  * identity:get_endpoint_group
  * identity:update_endpoint_group
  * identity:delete_endpoint_group

This patch also updates namespaces used in
project-specific RBAC tests for OS-EP-FILTER
API, for consistency.

Co-Authored-By: Kaustuv Royburman <kr336r@att.com>
Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com>

Change-Id: Ida8fd205d38a1b1231bfd9fb04dd3d2a94bde0dc
Depends-On: I96a8dbe02ff70d9cf8b23e194fe60fc5df08c43b
This commit is contained in:
Nicolas Helgeson 2017-03-15 16:24:43 -07:00 committed by Felipe Monteiro
parent 4a89216803
commit c5ebd76366
4 changed files with 144 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
patrole_tempest_plugin/tests/api/identity/rbac_base.py
View File

@ -216,6 +216,8 @@ class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
cls.domains_client = cls.os_primary.domains_client
cls.domain_config_client = cls.os_primary.domain_config_client
cls.endpoints_client = cls.os_primary.endpoints_v3_client
cls.endpoint_filter_client = cls.os_primary.endpoint_filter_client
cls.endpoint_groups_client = cls.os_primary.endpoint_groups_client
cls.groups_client = cls.os_primary.groups_client
cls.identity_client = cls.os_primary.identity_v3_client
cls.projects_client = cls.os_primary.projects_client

108
patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py Normal file
View File

@ -0,0 +1,108 @@
# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
class EndpointFilterGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
interface = 'public'
@classmethod
def resource_setup(cls):
super(EndpointFilterGroupsV3RbacTest, cls).resource_setup()
cls.service_id = cls.setup_test_service()['id']
def setUp(self):
super(EndpointFilterGroupsV3RbacTest, self).setUp()
self.endpoint_group_id = self._create_endpoint_group()
def _create_endpoint_group(self, ignore_not_found=False):
# Create an endpoint group
ep_group_name = data_utils.rand_name(
self.__class__.__name__ + '-EPFilterGroup')
filters = {
'filters': {
'interface': self.interface,
'service_id': self.service_id
}
}
endpoint_group = self.endpoint_groups_client.create_endpoint_group(
name=ep_group_name, **filters)['endpoint_group']
if ignore_not_found:
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.endpoint_groups_client.delete_endpoint_group,
endpoint_group['id'])
else:
self.addCleanup(self.endpoint_groups_client.delete_endpoint_group,
endpoint_group['id'])
return endpoint_group['id']
@rbac_rule_validation.action(service="keystone",
rule="identity:create_endpoint_group")
@decorators.idempotent_id('b4765906-52ec-477b-b441-a8508ced68e3')
def test_create_endpoint_group(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_endpoint_group(ignore_not_found=True)
@rbac_rule_validation.action(service="keystone",
rule="identity:list_endpoint_groups")
@decorators.idempotent_id('089aa3a7-ba1f-4f70-a1cf-f298a845058a')
def test_list_endpoint_groups(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.endpoint_groups_client.list_endpoint_groups()['endpoint_groups']
@decorators.idempotent_id('5c16368d-1485-4c28-9803-db3fa3510623')
@rbac_rule_validation.action(service="keystone",
rule="identity:check_endpoint_group")
def test_check_endpoint_group(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.endpoint_groups_client.check_endpoint_group(
self.endpoint_group_id)
@rbac_rule_validation.action(service="keystone",
rule="identity:get_endpoint_group")
@decorators.idempotent_id('bd2b6fb8-661f-4255-84b2-50fea4a1dc61')
def test_show_endpoint_group(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.endpoint_groups_client.show_endpoint_group(
self.endpoint_group_id)['endpoint_group']
@rbac_rule_validation.action(service="keystone",
rule="identity:update_endpoint_group")
@decorators.idempotent_id('028b9198-ec35-4bd5-8f72-e23dfb7a0c8e')
def test_update_endpoint_group(self):
updated_name = data_utils.rand_name(
self.__class__.__name__ + '-EPFilterGroup')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.endpoint_groups_client.update_endpoint_group(
self.endpoint_group_id, name=updated_name)['endpoint_group']
@rbac_rule_validation.action(service="keystone",
rule="identity:delete_endpoint_group")
@decorators.idempotent_id('88cc105e-70d9-48ac-927e-200ef41e070c')
def test_delete_endpoint_group(self):
endpoint_group_id = self._create_endpoint_group(ignore_not_found=True)
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.endpoint_groups_client.delete_endpoint_group(endpoint_group_id)

43
patrole_tempest_plugin/tests/api/identity/v3/test_endpoint_filter_rbac.py → patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_projects_rbac.py
View File

@ -20,28 +20,27 @@ from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
class IdentityEndpointsFilterV3RbacTest(
rbac_base.BaseIdentityV3RbacTest):
@classmethod
def setup_clients(cls):
super(IdentityEndpointsFilterV3RbacTest, cls).setup_clients()
cls.ep_api_client = cls.os_primary.endpoint_filter_client
class EndpointFilterProjectsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@classmethod
def resource_setup(cls):
super(IdentityEndpointsFilterV3RbacTest, cls).resource_setup()
super(EndpointFilterProjectsV3RbacTest, cls).resource_setup()
cls.project = cls.setup_test_project()
cls.service = cls.setup_test_service()
cls.endpoint = cls.setup_test_endpoint(service=cls.service)
cls.endpoint = cls.setup_test_endpoint()
def _add_endpoint_to_project(self):
# Adding and cleaning up endpoints to projects
self.ep_api_client.add_endpoint_to_project(
def _add_endpoint_to_project(self, ignore_not_found=False):
self.endpoint_filter_client.add_endpoint_to_project(
self.project['id'], self.endpoint['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.ep_api_client.delete_endpoint_from_project,
self.project['id'], self.endpoint['id'])
if ignore_not_found:
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.endpoint_filter_client.delete_endpoint_from_project,
self.project['id'], self.endpoint['id'])
else:
self.addCleanup(
self.endpoint_filter_client.delete_endpoint_from_project,
self.project['id'], self.endpoint['id'])
@rbac_rule_validation.action(
service="keystone",
@ -50,7 +49,7 @@ class IdentityEndpointsFilterV3RbacTest(
def test_add_endpoint_to_project(self):
# Adding endpoints to projects
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._add_endpoint_to_project()
self._add_endpoint_to_project(ignore_not_found=True)
@rbac_rule_validation.action(
service="keystone",
@ -58,7 +57,7 @@ class IdentityEndpointsFilterV3RbacTest(
@decorators.idempotent_id('f53dca42-ec8a-48e9-924b-0bbe6c99727f')
def test_list_projects_for_endpoint(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.ep_api_client.list_projects_for_endpoint(
self.endpoint_filter_client.list_projects_for_endpoint(
self.endpoint['id'])
@rbac_rule_validation.action(
@ -68,7 +67,7 @@ class IdentityEndpointsFilterV3RbacTest(
def test_check_endpoint_in_project(self):
self._add_endpoint_to_project()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.ep_api_client.check_endpoint_in_project(
self.endpoint_filter_client.check_endpoint_in_project(
self.project['id'], self.endpoint['id'])
@rbac_rule_validation.action(
@ -77,7 +76,7 @@ class IdentityEndpointsFilterV3RbacTest(
@decorators.idempotent_id('5d86c659-c6ad-41e0-854e-3823e95c7cc2')
def test_list_endpoints_in_project(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.ep_api_client.list_endpoints_in_project(
self.endpoint_filter_client.list_endpoints_in_project(
self.project['id'])
@rbac_rule_validation.action(
@ -85,7 +84,7 @@ class IdentityEndpointsFilterV3RbacTest(
rule="identity:remove_endpoint_from_project")
@decorators.idempotent_id('b4e21c10-4f47-427b-9b8a-f5b5601adfda')
def test_remove_endpoint_from_project(self):
self._add_endpoint_to_project()
self._add_endpoint_to_project(ignore_not_found=True)
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.ep_api_client.delete_endpoint_from_project(
self.endpoint_filter_client.delete_endpoint_from_project(
self.project['id'], self.endpoint['id'])

13
releasenotes/notes/ep-filter-groups-rbac-tests-bca28e9a055bbb8d.yaml Normal file
View File

@ -0,0 +1,13 @@
---
features:
- |
Add group-specific RBAC tests for the identity v3 extension API,
OS-EP-FILTER, providing coverage for the following policy actions:
* identity:create_endpoint_group
* identity:list_endpoint_groups
* identity:show_endpoint_group (get endpoint group)
* identity:check_endpoint_group
* identity:list_endpoint_group (get endpoint groups)
* identity:update_endpoint_group
* identity:delete_endpoint_group