Add missing v3 token related testcases

We have added scenarios to test_check_token_existence(),
test_validate_token() and test_validate_revoke_token()

Co-Authored-By: Nishant Kumar <nk613n@att.com>
Co-Authored-By: Pramod Kumar Singh <pk110e@att.com>
Co-Authored-By: Hemanth Nakkina <nh863p@att.com>

Change-Id: I4aadd8016dc30b0fb39f22862806aeb787b3ae75
Depends-on: I0b95a19162456cbaf524ea6691e7e28c151c6ada
Closes-Bug: #1691044
This commit is contained in:
Pradeep Kumar 2017-05-19 21:09:44 +05:30 committed by Felipe Monteiro
parent 5e08484be6
commit ccfa23e388
4 changed files with 185 additions and 0 deletions

View File

@ -243,6 +243,7 @@ class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
cls.trusts_client = cls.os_primary.trusts_client
cls.users_client = cls.os_primary.users_v3_client
cls.oauth_token_client = cls.os_primary.oauth_token_client
cls.token_client = cls.os_primary.token_v3_client
@classmethod
def resource_setup(cls):
@ -254,6 +255,7 @@ class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
cls.projects = []
cls.regions = []
cls.trusts = []
cls.tokens = []
@classmethod
def resource_cleanup(cls):
@ -289,6 +291,10 @@ class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
test_utils.call_and_ignore_notfound_exc(
cls.trusts_client.delete_trust, trust['id'])
for token in cls.tokens:
test_utils.call_and_ignore_notfound_exc(
cls.identity_client.delete_token, token)
super(BaseIdentityV3RbacTest, cls).resource_cleanup()
@classmethod
@ -375,3 +381,12 @@ class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
cls.trusts.append(trust)
return trust
@classmethod
def setup_test_token(cls, user_id, password):
"""Set up a test token."""
token = cls.token_client.auth(user_id=user_id,
password=password).response
token_id = token['x-subject-token']
cls.tokens.append(token_id)
return token_id

View File

@ -0,0 +1,100 @@
# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest import config
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
CONF = config.CONF
class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
credentials = ['primary', 'admin', 'alt']
@classmethod
def skip_checks(cls):
super(IdentityTokenV3RbacTest, cls).skip_checks()
# In case of admin, the positive testcase would be used, hence
# skipping negative testcase
if CONF.rbac.rbac_test_role == CONF.identity.admin_role:
raise cls.skipException(
"Skipped as admin role doesn't require negative testing")
def _setup_alt_token(self):
return self.setup_test_token(
self.os_alt.auth_provider.credentials.user_id,
self.os_alt.auth_provider.credentials.password)
@decorators.idempotent_id('c83c8f1a-79cb-4dc4-b55f-c7d2bfd98b1e')
@test.attr(type=['negative'])
@rbac_rule_validation.action(
service="keystone",
rule="identity:validate_token",
extra_target_data={
"target.token.user_id":
"os_alt.auth_provider.credentials.user_id"
})
def test_show_token_negative(self):
# Explicit negative test for identity:validate_token policy action.
# Assert expected exception is Forbidden and then reraise it.
alt_token_id = self._setup_alt_token()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
e = self.assertRaises(lib_exc.Forbidden,
self.identity_client.show_token,
alt_token_id)
raise e
@decorators.idempotent_id('2786a55d-a818-433a-af7a-41ebf72ab4da')
@test.attr(type=['negative'])
@rbac_rule_validation.action(
service="keystone",
rule="identity:revoke_token",
extra_target_data={
"target.token.user_id":
"os_alt.auth_provider.credentials.user_id"
})
def test_delete_token_negative(self):
# Explicit negative test for identity:revoke_token policy action.
# Assert expected exception is Forbidden and then reraise it.
alt_token_id = self._setup_alt_token()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
e = self.assertRaises(lib_exc.Forbidden,
self.identity_client.delete_token,
alt_token_id)
raise e
@decorators.idempotent_id('1ea02ac0-9a96-44bd-bdc3-4dae3c10cc2e')
@test.attr(type=['negative'])
@rbac_rule_validation.action(
service="keystone",
rule="identity:check_token",
extra_target_data={
"target.token.user_id":
"os_alt.auth_provider.credentials.user_id"
})
def test_check_token_existence_negative(self):
# Explicit negative test for identity:check_token policy action.
# Assert expected exception is Forbidden and then reraise it.
alt_token_id = self._setup_alt_token()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
e = self.assertRaises(lib_exc.Forbidden,
self.identity_client.check_token_existence,
alt_token_id)
raise e

View File

@ -0,0 +1,67 @@
# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@classmethod
def resource_setup(cls):
super(IdentityTokenV3RbacTest, cls).resource_setup()
cls.user_id = cls.os_primary.auth_provider.credentials.user_id
cls.password = cls.os_primary.auth_provider.credentials.password
@decorators.idempotent_id('201e2fe5-2023-4bce-9189-78b51520a91e')
@rbac_rule_validation.action(
service="keystone",
rule="identity:validate_token",
extra_target_data={
"target.token.user_id":
"os_primary.auth_provider.credentials.user_id"
})
def test_show_token(self):
token_id = self.setup_test_token(self.user_id, self.password)
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.identity_client.show_token(token_id)
@decorators.idempotent_id('42a299db-fe0a-4ea0-9824-0bfd13155886')
@rbac_rule_validation.action(
service="keystone",
rule="identity:revoke_token",
extra_target_data={
"target.token.user_id":
"os_primary.auth_provider.credentials.user_id"
})
def test_delete_token(self):
token_id = self.setup_test_token(self.user_id, self.password)
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.identity_client.delete_token(token_id)
@decorators.idempotent_id('3554d218-8cd6-4730-a1b2-0e22f9b78f45')
@rbac_rule_validation.action(
service="keystone",
rule="identity:check_token",
extra_target_data={
"target.token.user_id":
"os_primary.auth_provider.credentials.user_id"
})
def test_check_token_exsitence(self):
token_id = self.setup_test_token(self.user_id, self.password)
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.identity_client.check_token_existence(token_id)

View File

@ -0,0 +1,3 @@
---
features:
- Added RBAC test scenarios for the token-related v3 identity API