Add Access Rules tests

Access rules for application credentials were added in the Train release
of keystone. This change adds related CRUD tests for access rules. See
the API reference for additional information[1].

[1] https://docs.openstack.org/api-ref/identity/v3/index.html#application-credentials

Change-Id: Ifd4ff2245277c2c57f5ccf450923434c0277a724
changes/19/699519/5
Colleen Murphy 3 years ago
parent 3e42d81b72
commit d2cbd3ad4c

@ -192,6 +192,7 @@ class BaseIdentityV3Test(BaseIdentityTest):
cls.os_primary.identity_versions_v3_client
cls.non_admin_app_creds_client = \
cls.os_primary.application_credentials_client
cls.non_admin_access_rules_client = cls.os_primary.access_rules_client
class BaseIdentityV3AdminTest(BaseIdentityV3Test):

@ -0,0 +1,84 @@
# Copyright 2019 SUSE LLC
#
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
CONF = config.CONF
class AccessRulesV3Test(base.BaseIdentityV3Test):
@classmethod
def skip_checks(cls):
super(AccessRulesV3Test, cls).skip_checks()
if not CONF.identity_feature_enabled.access_rules:
raise cls.skipException("Application credential access rules are "
"not available in this environment")
@classmethod
def resource_setup(cls):
super(AccessRulesV3Test, cls).resource_setup()
cls.user_id = cls.os_primary.credentials.user_id
cls.project_id = cls.os_primary.credentials.project_id
def setUp(self):
super(AccessRulesV3Test, self).setUp()
ac = self.non_admin_app_creds_client
access_rules = [
{
"path": "/v2.1/servers/*/ips",
"method": "GET",
"service": "compute"
}
]
self.app_cred = ac.create_application_credential(
self.user_id,
name=data_utils.rand_name('application_credential'),
access_rules=access_rules
)['application_credential']
@decorators.idempotent_id('2354c498-5119-4ba5-9f0d-44f16f78fb0e')
def test_list_access_rules(self):
ar = self.non_admin_access_rules_client.list_access_rules(self.user_id)
self.assertEqual(1, len(ar['access_rules']))
@decorators.idempotent_id('795dd507-ca1e-40e9-ba90-ff0a08689ba4')
def test_show_access_rule(self):
access_rule_id = self.app_cred['access_rules'][0]['id']
self.non_admin_access_rules_client.show_access_rule(
self.user_id, access_rule_id)
@decorators.idempotent_id('278757e9-e193-4bf8-adf2-0b0a229a17d0')
def test_delete_access_rule(self):
access_rule_id = self.app_cred['access_rules'][0]['id']
app_cred_id = self.app_cred['id']
self.assertRaises(
lib_exc.Forbidden,
self.non_admin_access_rules_client.delete_access_rule,
self.user_id,
access_rule_id)
self.non_admin_app_creds_client.delete_application_credential(
self.user_id, app_cred_id)
ar = self.non_admin_access_rules_client.list_access_rules(self.user_id)
self.assertEqual(1, len(ar['access_rules']))
self.non_admin_access_rules_client.delete_access_rule(
self.user_id, access_rule_id)
ar = self.non_admin_access_rules_client.list_access_rules(self.user_id)
self.assertEqual(0, len(ar['access_rules']))

@ -19,8 +19,11 @@ import datetime
from oslo_utils import timeutils
from tempest.api.identity import base
from tempest import config
from tempest.lib import decorators
CONF = config.CONF
class ApplicationCredentialsV3Test(base.BaseApplicationCredentialsV3Test):
@ -62,6 +65,24 @@ class ApplicationCredentialsV3Test(base.BaseApplicationCredentialsV3Test):
expires_str = expires_at.isoformat()
self.assertEqual(expires_str, app_cred['expires_at'])
@decorators.idempotent_id('529936eb-aa5d-463d-9f79-01c113d3b88f')
def test_create_application_credential_access_rules(self):
if not CONF.identity_feature_enabled.access_rules:
raise self.skipException("Application credential access rules are "
"not available in this environment")
access_rules = [
{
"path": "/v2.1/servers/*/ips",
"method": "GET",
"service": "compute"
}
]
app_cred = self.create_application_credential(
access_rules=access_rules)
access_rule_resp = app_cred['access_rules'][0]
access_rule_resp.pop('id')
self.assertDictEqual(access_rules[0], access_rule_resp)
@decorators.idempotent_id('ff0cd457-6224-46e7-b79e-0ada4964a8a6')
def test_list_application_credentials(self):
self.create_application_credential()

@ -203,6 +203,8 @@ class Manager(clients.ServiceClients):
**params_v3)
self.application_credentials_client = \
self.identity_v3.ApplicationCredentialsClient(**params_v3)
self.access_rules_client = \
self.identity_v3.AccessRulesClient(**params_v3)
# Token clients do not use the catalog. They only need default_params.
# They read auth_url, so they should only be set if the corresponding

@ -252,6 +252,11 @@ IdentityFeatureGroup = [
default=False,
help='Does the environment have application credentials '
'enabled?'),
# Access rules for application credentials is a default feature in Train.
# This config option can removed once Stein is EOL.
cfg.BoolOpt('access_rules',
default=False,
help='Does the environment have access rules enabled?'),
cfg.BoolOpt('immutable_user_source',
default=False,
help='Set to True if the environment has a read-only '

@ -12,6 +12,8 @@
# License for the specific language governing permissions and limitations under
# the License.
from tempest.lib.services.identity.v3.access_rules_client import \
AccessRulesClient
from tempest.lib.services.identity.v3.application_credentials_client import \
ApplicationCredentialsClient
from tempest.lib.services.identity.v3.catalog_client import \
@ -48,9 +50,10 @@ from tempest.lib.services.identity.v3.trusts_client import TrustsClient
from tempest.lib.services.identity.v3.users_client import UsersClient
from tempest.lib.services.identity.v3.versions_client import VersionsClient
__all__ = ['ApplicationCredentialsClient', 'CatalogClient',
'CredentialsClient', 'DomainsClient', 'DomainConfigurationClient',
'EndPointGroupsClient', 'EndPointsClient', 'EndPointsFilterClient',
__all__ = ['AccessRulesClient', 'ApplicationCredentialsClient',
'CatalogClient', 'CredentialsClient', 'DomainsClient',
'DomainConfigurationClient', 'EndPointGroupsClient',
'EndPointsClient', 'EndPointsFilterClient',
'GroupsClient', 'IdentityClient', 'InheritedRolesClient',
'OAUTHConsumerClient', 'OAUTHTokenClient', 'PoliciesClient',
'ProjectsClient', 'ProjectTagsClient', 'RegionsClient',

@ -0,0 +1,68 @@
# Copyright 2019 SUSE LLC
#
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""
https://docs.openstack.org/api-ref/identity/v3/index.html#application-credentials
"""
from oslo_serialization import jsonutils as json
from six.moves.urllib import parse as urllib
from tempest.lib.common import rest_client
class AccessRulesClient(rest_client.RestClient):
api_version = "v3"
def show_access_rule(self, user_id, access_rule_id):
"""Gets details of an access rule.
For a full list of available parameters, please refer to the official
API reference:
https://docs.openstack.org/api-ref/identity/v3/index.html#show-access-rule-details
"""
resp, body = self.get('users/%s/access_rules/%s' %
(user_id, access_rule_id))
self.expected_success(200, resp.status)
body = json.loads(body)
return rest_client.ResponseBody(resp, body)
def list_access_rules(self, user_id, **params):
"""Lists out all of a user's access rules.
For a full list of available parameters, please refer to the official
API reference:
https://docs.openstack.org/api-ref/identity/v3/index.html#list-access-rules
"""
url = 'users/%s/access_rules' % user_id
if params:
url += '?%s' % urllib.urlencode(params)
resp, body = self.get(url)
self.expected_success(200, resp.status)
body = json.loads(body)
return rest_client.ResponseBody(resp, body)
def delete_access_rule(self, user_id, access_rule_id):
"""Deletes an access rule.
For a full list of available parameters, please refer to the official
API reference:
https://docs.openstack.org/api-ref/identity/v3/index.html#delete-access-rule
"""
resp, body = self.delete('users/%s/access_rules/%s' %
(user_id, access_rule_id))
self.expected_success(204, resp.status)
return rest_client.ResponseBody(resp, body)

@ -0,0 +1,97 @@
# Copyright 2019 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from tempest.lib.services.identity.v3 import access_rules_client
from tempest.tests.lib import fake_auth_provider
from tempest.tests.lib.services import base
class TestAccessRulesClient(base.BaseServiceTest):
FAKE_LIST_ACCESS_RULES = {
"links": {
"self": "https://example.com/identity/v3/users/" +
"3e0716ae/access_rules",
"previous": None,
"next": None
},
"access_rules": [
{
"path": "/v2.0/metrics",
"links": {
"self": "https://example.com/identity/v3/access_rules/" +
"07d719df00f349ef8de77d542edf010c"
},
"id": "07d719df00f349ef8de77d542edf010c",
"service": "monitoring",
"method": "GET"
}
]
}
FAKE_ACCESS_RULE_INFO = {
"access_rule": {
"path": "/v2.0/metrics",
"links": {
"self": "https://example.com/identity/v3/access_rules/" +
"07d719df00f349ef8de77d542edf010c"
},
"id": "07d719df00f349ef8de77d542edf010c",
"service": "monitoring",
"method": "GET"
}
}
def setUp(self):
super(TestAccessRulesClient, self).setUp()
fake_auth = fake_auth_provider.FakeAuthProvider()
self.client = access_rules_client.AccessRulesClient(
fake_auth, 'identity', 'regionOne')
def _test_show_access_rule(self, bytes_body=False):
self.check_service_client_function(
self.client.show_access_rule,
'tempest.lib.common.rest_client.RestClient.get',
self.FAKE_ACCESS_RULE_INFO,
bytes_body,
user_id="123456",
access_rule_id="5499a186")
def _test_list_access_rules(self, bytes_body=False):
self.check_service_client_function(
self.client.list_access_rules,
'tempest.lib.common.rest_client.RestClient.get',
self.FAKE_LIST_ACCESS_RULES,
bytes_body,
user_id="123456")
def test_show_access_rule_with_str_body(self):
self._test_show_access_rule()
def test_show_access_rule_with_bytes_body(self):
self._test_show_access_rule(bytes_body=True)
def test_list_access_rule_with_str_body(self):
self._test_list_access_rules()
def test_list_access_rule_with_bytes_body(self):
self._test_list_access_rules(bytes_body=True)
def test_delete_access_rule(self):
self.check_service_client_function(
self.client.delete_access_rule,
'tempest.lib.common.rest_client.RestClient.delete',
{},
user_id="123456",
access_rule_id="5499a186",
status=204)
Loading…
Cancel
Save