35a77113fc
Patrole currently cannot handle the scenario where two possible error codes can returned by Neutron policy enforcement for a failed policy check (403 Forbidden and 404 NotFound), depending on what role is being tested. Patrole framework can only handle one expected_exception. This change builds upon the recent multi-policy support to allow the tester to specify multiple policy actions for one API test. For each policy action, the tester would need to specify an error code that is expected if the action should fail. If multiple policy actions fail, the error code for the first policy action that fails will be expected to be returned from the service. This handles the cases in Neutron where Neutron may use a second policy rule to determine whether or not to return a 403 error code or a 404 error code. The tester is expected to list out which policy rules are being tested by the API endpoint test. Change-Id: I5cd861e184da90bb27f8ba454c94fa4d4f99c269 Closes-Bug: #1772710
32 lines
1.5 KiB
YAML
32 lines
1.5 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Patrole now offers support for multiple policies. The ``rules`` argument
|
|
has been added to the ``rbac_rule_validation.action`` decorator, which
|
|
takes a list of policy names which Patrole will use to determine the
|
|
expected test result. This allows Patrole to more accurately determine
|
|
whether RBAC is configured correctly, since some API endpoints enforce
|
|
multiple policies.
|
|
|
|
Multiple policy support includes the capability to specify multiple
|
|
expected error codes, as some components may return different error codes
|
|
for different roles due to checking multiple policy rules. The
|
|
``expected_error_codes`` argument has been added to the
|
|
``rbac_rule_validation.action`` decorator, which is a list of error codes
|
|
expected when the corresponding rule in the ``rules`` list is disallowed
|
|
to perform the API action. For this reason, the error codes in the
|
|
``expected_error_codes`` list must appear in the same order as their
|
|
corresponding rules in the ``rules`` list. For example:
|
|
|
|
expected_error_codes[0] is the error code for the rules[0] rule.
|
|
expected_error_codes[1] is the error code for the rules[1] rule.
|
|
...
|
|
|
|
deprecations:
|
|
- |
|
|
The ``rule`` argument in the ``rbac_rule_validation.action`` decorator has
|
|
been deprecated in favor of ``rules``.
|
|
|
|
The ``expected_error_code`` argument in the ``rbac_rule_validation.action``
|
|
decorator has been deprecated in favor of ``expected_error_codes``.
|