Add missing v3 token related testcases
We have added scenarios to test_check_token_existence(), test_validate_token() and test_validate_revoke_token() Co-Authored-By: Nishant Kumar <nk613n@att.com> Co-Authored-By: Pramod Kumar Singh <pk110e@att.com> Co-Authored-By: Hemanth Nakkina <nh863p@att.com> Change-Id: I4aadd8016dc30b0fb39f22862806aeb787b3ae75 Depends-on: I0b95a19162456cbaf524ea6691e7e28c151c6ada Closes-Bug: #1691044
This commit is contained in:
parent
5e08484be6
commit
ccfa23e388
|
@ -243,6 +243,7 @@ class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
|
|||
cls.trusts_client = cls.os_primary.trusts_client
|
||||
cls.users_client = cls.os_primary.users_v3_client
|
||||
cls.oauth_token_client = cls.os_primary.oauth_token_client
|
||||
cls.token_client = cls.os_primary.token_v3_client
|
||||
|
||||
@classmethod
|
||||
def resource_setup(cls):
|
||||
|
@ -254,6 +255,7 @@ class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
|
|||
cls.projects = []
|
||||
cls.regions = []
|
||||
cls.trusts = []
|
||||
cls.tokens = []
|
||||
|
||||
@classmethod
|
||||
def resource_cleanup(cls):
|
||||
|
@ -289,6 +291,10 @@ class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
|
|||
test_utils.call_and_ignore_notfound_exc(
|
||||
cls.trusts_client.delete_trust, trust['id'])
|
||||
|
||||
for token in cls.tokens:
|
||||
test_utils.call_and_ignore_notfound_exc(
|
||||
cls.identity_client.delete_token, token)
|
||||
|
||||
super(BaseIdentityV3RbacTest, cls).resource_cleanup()
|
||||
|
||||
@classmethod
|
||||
|
@ -375,3 +381,12 @@ class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
|
|||
cls.trusts.append(trust)
|
||||
|
||||
return trust
|
||||
|
||||
@classmethod
|
||||
def setup_test_token(cls, user_id, password):
|
||||
"""Set up a test token."""
|
||||
token = cls.token_client.auth(user_id=user_id,
|
||||
password=password).response
|
||||
token_id = token['x-subject-token']
|
||||
cls.tokens.append(token_id)
|
||||
return token_id
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
# Copyright 2017 AT&T Corporation.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from tempest import config
|
||||
from tempest.lib import decorators
|
||||
from tempest.lib import exceptions as lib_exc
|
||||
from tempest import test
|
||||
|
||||
from patrole_tempest_plugin import rbac_rule_validation
|
||||
from patrole_tempest_plugin.tests.api.identity import rbac_base
|
||||
|
||||
CONF = config.CONF
|
||||
|
||||
|
||||
class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
||||
|
||||
credentials = ['primary', 'admin', 'alt']
|
||||
|
||||
@classmethod
|
||||
def skip_checks(cls):
|
||||
super(IdentityTokenV3RbacTest, cls).skip_checks()
|
||||
# In case of admin, the positive testcase would be used, hence
|
||||
# skipping negative testcase
|
||||
if CONF.rbac.rbac_test_role == CONF.identity.admin_role:
|
||||
raise cls.skipException(
|
||||
"Skipped as admin role doesn't require negative testing")
|
||||
|
||||
def _setup_alt_token(self):
|
||||
return self.setup_test_token(
|
||||
self.os_alt.auth_provider.credentials.user_id,
|
||||
self.os_alt.auth_provider.credentials.password)
|
||||
|
||||
@decorators.idempotent_id('c83c8f1a-79cb-4dc4-b55f-c7d2bfd98b1e')
|
||||
@test.attr(type=['negative'])
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rule="identity:validate_token",
|
||||
extra_target_data={
|
||||
"target.token.user_id":
|
||||
"os_alt.auth_provider.credentials.user_id"
|
||||
})
|
||||
def test_show_token_negative(self):
|
||||
# Explicit negative test for identity:validate_token policy action.
|
||||
# Assert expected exception is Forbidden and then reraise it.
|
||||
alt_token_id = self._setup_alt_token()
|
||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||
e = self.assertRaises(lib_exc.Forbidden,
|
||||
self.identity_client.show_token,
|
||||
alt_token_id)
|
||||
raise e
|
||||
|
||||
@decorators.idempotent_id('2786a55d-a818-433a-af7a-41ebf72ab4da')
|
||||
@test.attr(type=['negative'])
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rule="identity:revoke_token",
|
||||
extra_target_data={
|
||||
"target.token.user_id":
|
||||
"os_alt.auth_provider.credentials.user_id"
|
||||
})
|
||||
def test_delete_token_negative(self):
|
||||
# Explicit negative test for identity:revoke_token policy action.
|
||||
# Assert expected exception is Forbidden and then reraise it.
|
||||
alt_token_id = self._setup_alt_token()
|
||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||
e = self.assertRaises(lib_exc.Forbidden,
|
||||
self.identity_client.delete_token,
|
||||
alt_token_id)
|
||||
raise e
|
||||
|
||||
@decorators.idempotent_id('1ea02ac0-9a96-44bd-bdc3-4dae3c10cc2e')
|
||||
@test.attr(type=['negative'])
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rule="identity:check_token",
|
||||
extra_target_data={
|
||||
"target.token.user_id":
|
||||
"os_alt.auth_provider.credentials.user_id"
|
||||
})
|
||||
def test_check_token_existence_negative(self):
|
||||
# Explicit negative test for identity:check_token policy action.
|
||||
# Assert expected exception is Forbidden and then reraise it.
|
||||
alt_token_id = self._setup_alt_token()
|
||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||
e = self.assertRaises(lib_exc.Forbidden,
|
||||
self.identity_client.check_token_existence,
|
||||
alt_token_id)
|
||||
raise e
|
|
@ -0,0 +1,67 @@
|
|||
# Copyright 2017 AT&T Corporation.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from tempest.lib import decorators
|
||||
|
||||
from patrole_tempest_plugin import rbac_rule_validation
|
||||
from patrole_tempest_plugin.tests.api.identity import rbac_base
|
||||
|
||||
|
||||
class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
||||
|
||||
@classmethod
|
||||
def resource_setup(cls):
|
||||
super(IdentityTokenV3RbacTest, cls).resource_setup()
|
||||
cls.user_id = cls.os_primary.auth_provider.credentials.user_id
|
||||
cls.password = cls.os_primary.auth_provider.credentials.password
|
||||
|
||||
@decorators.idempotent_id('201e2fe5-2023-4bce-9189-78b51520a91e')
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rule="identity:validate_token",
|
||||
extra_target_data={
|
||||
"target.token.user_id":
|
||||
"os_primary.auth_provider.credentials.user_id"
|
||||
})
|
||||
def test_show_token(self):
|
||||
token_id = self.setup_test_token(self.user_id, self.password)
|
||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||
self.identity_client.show_token(token_id)
|
||||
|
||||
@decorators.idempotent_id('42a299db-fe0a-4ea0-9824-0bfd13155886')
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rule="identity:revoke_token",
|
||||
extra_target_data={
|
||||
"target.token.user_id":
|
||||
"os_primary.auth_provider.credentials.user_id"
|
||||
})
|
||||
def test_delete_token(self):
|
||||
token_id = self.setup_test_token(self.user_id, self.password)
|
||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||
self.identity_client.delete_token(token_id)
|
||||
|
||||
@decorators.idempotent_id('3554d218-8cd6-4730-a1b2-0e22f9b78f45')
|
||||
@rbac_rule_validation.action(
|
||||
service="keystone",
|
||||
rule="identity:check_token",
|
||||
extra_target_data={
|
||||
"target.token.user_id":
|
||||
"os_primary.auth_provider.credentials.user_id"
|
||||
})
|
||||
def test_check_token_exsitence(self):
|
||||
token_id = self.setup_test_token(self.user_id, self.password)
|
||||
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
|
||||
self.identity_client.check_token_existence(token_id)
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
features:
|
||||
- Added RBAC test scenarios for the token-related v3 identity API
|
Loading…
Reference in New Issue