Complete RBAC test coverage for Shipyard Document Staging API

This commmit completes RBAC coverage for Shipyard Document Staging API,
for the APIs noted here [0]. For now, the goal is to meet the first use-case
of this plugin, which is to test RBAC for Shipyard. With this in mind, for RBAC
testing, we only care if a role has permission to an API in question. Therefore,
some of the more complex APIs are 'short circuit' tests - meaning only RBAC
permissions are checked and other expections are ignored.

[0] http://airship-shipyard.readthedocs.io/en/latest/API.html#document-staging-api
This commit is contained in:
Rick Bartra 2018-08-17 17:37:51 -04:00
parent 6b87d7d633
commit e7807b4caf
5 changed files with 112 additions and 6 deletions

View File

@ -4,3 +4,11 @@ Tempest Integration of airship-tempest-plugin
The purpose of this plugin is to provide automated tests The purpose of this plugin is to provide automated tests
for all OpenStack Airship components. for all OpenStack Airship components.
DISCALIMER:
This initial implementation is just to meet the first use case which is RBAC
testing. For RBAC testing, we only need to hit the API endpoint and check
role permission to the API being tested. Some of the REST clients will need to be
rewritten if functional testing is desired. Those that need to be rewritten
are documented in each service client code.

View File

@ -1,6 +0,0 @@
===============================================
Tempest Integration of airship-tempest-plugin
===============================================
This directory contains Tempest tests to cover the airship-tempest-plugin project.

View File

@ -23,6 +23,15 @@ from six.moves.urllib import parse as urllib
from tempest.lib.common import rest_client from tempest.lib.common import rest_client
# NOTE(rb560u): The following will need to be rewritten in the future if
# functional testing is desired:
# - 'def post_configdocs`
# - `def get_configdocs_within_collection`
# - 'def post_commitconfigdocs'
# This initial implementation is just to meet the first use case which is RBAC
# testing. For RBAC testing, we only need to hit the API endpoint and check
# role permission to that API.
class DocumentStagingClient(rest_client.RestClient): class DocumentStagingClient(rest_client.RestClient):
api_version = "v1.0" api_version = "v1.0"
@ -32,3 +41,30 @@ class DocumentStagingClient(rest_client.RestClient):
self.expected_success(200, resp.status) self.expected_success(200, resp.status)
body = json.loads(body) body = json.loads(body)
return rest_client.ResponseBody(resp, body) return rest_client.ResponseBody(resp, body)
def post_configdocs(self):
url = "configdocs/1"
post_body = json.dumps({})
resp, body = self.post(url, post_body)
self.expected_success(201, resp.status)
body = json.loads(body)
return rest_client.ResponseBody(resp, body)
def get_configdocs_within_collection(self):
resp, body = self.get('configdocs/1')
self.expected_success(200, resp.status)
body = json.loads(body)
return rest_client.ResponseBody(resp, body)
def get_renderedconfigdocs(self):
resp, body = self.get('renderedconfigdocs')
self.expected_success(200, resp.status)
body = json.loads(body)
return rest_client.ResponseBody(resp, body)
def post_commitconfigdocs(self):
post_body = json.dumps({})
resp, body = self.post("commitconfigdocs", post_body)
self.expected_success(200, resp.status)
body = json.loads(body)
return rest_client.ResponseBody(resp, body)

View File

@ -11,3 +11,18 @@ shipyard:
- admin - admin
- admin_ucp - admin_ucp
- admin_ucp_viewer - admin_ucp_viewer
post_configdocs:
- admin
- admin_ucp
get_configdocs_within_collection:
- admin
- admin_ucp
- admin_ucp_viewer
get_renderedconfigdocs:
- admin
- admin_ucp
- admin_ucp_viewer
post_commitconfigdocs:
- admin
- admin_ucp
- admin_ucp_viewer

View File

@ -20,6 +20,7 @@ from patrole_tempest_plugin import rbac_rule_validation
from tempest.common import utils from tempest.common import utils
from tempest.lib import decorators from tempest.lib import decorators
from tempest.lib import exceptions
from tempest.lib.common.utils import data_utils from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils from tempest.lib.common.utils import test_utils
@ -33,3 +34,55 @@ class DocumentStagingRbacTest(rbac_base.BaseShipyardRbacTest):
def test_get_configdocs(self): def test_get_configdocs(self):
with self.rbac_utils.override_role(self): with self.rbac_utils.override_role(self):
self.shipyard_document_staging_client.get_configdocs() self.shipyard_document_staging_client.get_configdocs()
@rbac_rule_validation.action(service="shipyard",
rules=["post_configdocs"])
@decorators.idempotent_id('1a0daf92-9dba-470c-a317-66b41c0b3df7')
def test_post_configdocs(self):
with self.rbac_utils.override_role(self):
# As this is a RBAC test, we only care about whether the role has
# permission or not. Role permission is checked prior to validating
# the post body, therefore we will ignore a BadRequest exception
try:
self.shipyard_document_staging_client.post_configdocs()
except exceptions.BadRequest:
pass
@rbac_rule_validation.action(service="shipyard",
rules=["get_configdocs_within_collection"])
@decorators.idempotent_id('d64cfa75-3bbe-4688-8849-db5a54ce98ea')
def test_get_configdocs_within_collection(self):
with self.rbac_utils.override_role(self):
# As this is a RBAC test, we only care about whether the role has
# permission or not. Role permission is checked prior to validating
# the post body, therefore we will ignore a NotFound exception
try:
self.shipyard_document_staging_client.get_configdocs_within_collection()
except exceptions.NotFound:
pass
@rbac_rule_validation.action(service="shipyard",
rules=["get_renderedconfigdocs"])
@decorators.idempotent_id('0ab53b15-bce9-494f-9a11-34dd2c44d699')
def test_get_renderedconfigdocs(self):
with self.rbac_utils.override_role(self):
# As this is a RBAC test, we only care about whether the role has
# permission or not. Role permission is checked prior to validating
# the post body, therefore we will ignore a NotFound exception
try:
self.shipyard_document_staging_client.get_renderedconfigdocs()
except exceptions.NotFound:
pass
@rbac_rule_validation.action(service="shipyard",
rules=["post_commitconfigdocs"])
@decorators.idempotent_id('200d1cbf-ca11-4b92-9cfd-6cd2a90bc919')
def test_post_commitconfigdocs(self):
with self.rbac_utils.override_role(self):
# As this is a RBAC test, we only care about whether the role has
# permission or not. Role permission is checked prior to validating
# the post body, therefore we will ignore a Conflict exception
try:
self.shipyard_document_staging_client.post_commitconfigdocs()
except exceptions.Conflict:
pass