summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRick Bartra <rb560u@att.com>2018-08-29 17:54:55 -0400
committerRick Bartra <rb560u@att.com>2018-08-30 15:56:43 -0400
commit447f6207654608448a439ed483968bbe2b76f2d2 (patch)
tree0014958f7be08b3f60868f624de58b5e2858950a
parent9ede7e52377c7c6b0b2f37790c0c960a199a8ff1 (diff)
Complete RBAC test coverage for Shipyard APIs
This commit adds the appropriate clients and tests for the following Shipyard API actions: - `workflow_orchestrator:action_deploy_site` - `workflow_orchestrator:action_update_site` - `workflow_orchestrator:action_update_software` - `workflow_orchestrator:action_redeploy_server` - `workflow_orchestrator:get_site_statuses` Change-Id: Ida48ec860dc7cd0842c65c662a50ec3d67c41b77
-rw-r--r--airship_tempest_plugin/services/shipyard/json/actions_client.py4
-rw-r--r--airship_tempest_plugin/services/shipyard/json/site_statuses_client.py34
-rw-r--r--airship_tempest_plugin/tests/api/common/rbac_roles.yaml16
-rw-r--r--airship_tempest_plugin/tests/api/shipyard/base.py7
-rw-r--r--airship_tempest_plugin/tests/api/shipyard/rbac/test_actions_rbac.py84
-rw-r--r--airship_tempest_plugin/tests/api/shipyard/rbac/test_site_statuses.py39
6 files changed, 182 insertions, 2 deletions
diff --git a/airship_tempest_plugin/services/shipyard/json/actions_client.py b/airship_tempest_plugin/services/shipyard/json/actions_client.py
index 5b1001c..1cd3a50 100644
--- a/airship_tempest_plugin/services/shipyard/json/actions_client.py
+++ b/airship_tempest_plugin/services/shipyard/json/actions_client.py
@@ -39,10 +39,10 @@ class ActionsClient(rest_client.RestClient):
39 body = json.loads(body) 39 body = json.loads(body)
40 return rest_client.ResponseBody(resp, body) 40 return rest_client.ResponseBody(resp, body)
41 41
42 def create_action(self): 42 def create_action(self, action=None):
43 url = 'actions' 43 url = 'actions'
44 # Update post_body if functional testing is desired 44 # Update post_body if functional testing is desired
45 post_body = json.dumps({}) 45 post_body = json.dumps({"name": action})
46 resp, body = self.post(url, post_body) 46 resp, body = self.post(url, post_body)
47 self.expected_success(201, resp.status) 47 self.expected_success(201, resp.status)
48 body = json.loads(body) 48 body = json.loads(body)
diff --git a/airship_tempest_plugin/services/shipyard/json/site_statuses_client.py b/airship_tempest_plugin/services/shipyard/json/site_statuses_client.py
new file mode 100644
index 0000000..67146a6
--- /dev/null
+++ b/airship_tempest_plugin/services/shipyard/json/site_statuses_client.py
@@ -0,0 +1,34 @@
1# Copyright 2018 AT&T Corp
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15#
16
17"""
18https://github.com/openstack/airship-shipyard/blob/master/docs/source/API.rst#site-statuses-api
19"""
20
21from oslo_serialization import jsonutils as json
22
23from tempest.lib.common import rest_client
24
25
26class SiteStatusesClient(rest_client.RestClient):
27 api_version = "v1.0"
28
29 # Note: add support of query filters if testing beyond RBAC is desired
30 def get_site_statuses(self):
31 resp, body = self.get('site_statuses')
32 self.expected_success(200, resp.status)
33 body = json.loads(body)
34 return rest_client.ResponseBody(resp, body)
diff --git a/airship_tempest_plugin/tests/api/common/rbac_roles.yaml b/airship_tempest_plugin/tests/api/common/rbac_roles.yaml
index fd17b68..05b1742 100644
--- a/airship_tempest_plugin/tests/api/common/rbac_roles.yaml
+++ b/airship_tempest_plugin/tests/api/common/rbac_roles.yaml
@@ -6,6 +6,18 @@ shipyard:
6 workflow_orchestrator:create_action: 6 workflow_orchestrator:create_action:
7 - admin 7 - admin
8 - admin_ucp 8 - admin_ucp
9 workflow_orchestrator:action_deploy_site:
10 - admin
11 - admin_ucp
12 workflow_orchestrator:action_update_site:
13 - admin
14 - admin_ucp
15 workflow_orchestrator:action_update_software:
16 - admin
17 - admin_ucp
18 workflow_orchestrator:action_redeploy_server:
19 - admin
20 - admin_ucp
9 workflow_orchestrator:get_action: 21 workflow_orchestrator:get_action:
10 - admin 22 - admin
11 - admin_ucp 23 - admin_ucp
@@ -51,3 +63,7 @@ shipyard:
51 - admin 63 - admin
52 - admin_ucp 64 - admin_ucp
53 - admin_ucp_viewer 65 - admin_ucp_viewer
66 workflow_orchestrator:get_site_statuses:
67 - admin
68 - admin_ucp
69 - admin_ucp_viewer
diff --git a/airship_tempest_plugin/tests/api/shipyard/base.py b/airship_tempest_plugin/tests/api/shipyard/base.py
index 6414463..47fb59a 100644
--- a/airship_tempest_plugin/tests/api/shipyard/base.py
+++ b/airship_tempest_plugin/tests/api/shipyard/base.py
@@ -22,6 +22,8 @@ from airship_tempest_plugin.services.shipyard.json.document_staging_client \
22 import DocumentStagingClient 22 import DocumentStagingClient
23from airship_tempest_plugin.services.shipyard.json.log_retrieval_client \ 23from airship_tempest_plugin.services.shipyard.json.log_retrieval_client \
24 import LogRetrievalClient 24 import LogRetrievalClient
25from airship_tempest_plugin.services.shipyard.json.site_statuses_client \
26 import SiteStatusesClient
25 27
26from tempest import config 28from tempest import config
27from tempest import test 29from tempest import test
@@ -65,3 +67,8 @@ class BaseShipyardTest(test.BaseTestCase):
65 CONF.shipyard.catalog_type, 67 CONF.shipyard.catalog_type,
66 CONF.identity.region, 68 CONF.identity.region,
67 CONF.shipyard.endpoint_type) 69 CONF.shipyard.endpoint_type)
70 cls.shipyard_site_statuses_client = SiteStatusesClient(
71 cls.auth_provider,
72 CONF.shipyard.catalog_type,
73 CONF.identity.region,
74 CONF.shipyard.endpoint_type)
diff --git a/airship_tempest_plugin/tests/api/shipyard/rbac/test_actions_rbac.py b/airship_tempest_plugin/tests/api/shipyard/rbac/test_actions_rbac.py
index 3c569d7..723fce5 100644
--- a/airship_tempest_plugin/tests/api/shipyard/rbac/test_actions_rbac.py
+++ b/airship_tempest_plugin/tests/api/shipyard/rbac/test_actions_rbac.py
@@ -14,13 +14,19 @@
14# under the License. 14# under the License.
15# 15#
16 16
17import logging
18
17from airship_tempest_plugin.tests.api.shipyard.rbac import rbac_base 19from airship_tempest_plugin.tests.api.shipyard.rbac import rbac_base
18 20
19from patrole_tempest_plugin import rbac_rule_validation 21from patrole_tempest_plugin import rbac_rule_validation
20 22
23from tempest import config
21from tempest.lib import decorators 24from tempest.lib import decorators
22from tempest.lib import exceptions 25from tempest.lib import exceptions
23 26
27CONF = config.CONF
28LOG = logging.getLogger(__name__)
29
24 30
25class ActionsRbacTest(rbac_base.BaseShipyardRbacTest): 31class ActionsRbacTest(rbac_base.BaseShipyardRbacTest):
26 32
@@ -49,6 +55,84 @@ class ActionsRbacTest(rbac_base.BaseShipyardRbacTest):
49 55
50 @rbac_rule_validation.action( 56 @rbac_rule_validation.action(
51 service="shipyard", 57 service="shipyard",
58 rules=["workflow_orchestrator:action_deploy_site"])
59 @decorators.idempotent_id('e69687da-8d4e-413b-a566-c0e56b5d1087')
60 def test_deploy_site(self):
61 with self.rbac_utils.override_role(self):
62 LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
63 "is enforced first and if permission is denied, then "
64 "there is no additional enforcement. If permission is "
65 "allowed to `workflow_orchestrator:create_action`, then "
66 "`workflow_orchestrator:action_deploy_site` is enforced. "
67 " If this test fails, check permissions of both actions.")
68 try:
69 self.shipyard_actions_client.create_action(
70 action="deploy_site")
71 # Ignore exceptions besides Forbidden
72 except (exceptions.BadRequest, exceptions.NotFound):
73 pass
74
75 @rbac_rule_validation.action(
76 service="shipyard",
77 rules=["workflow_orchestrator:action_update_site"])
78 @decorators.idempotent_id('95f3b377-99ae-4ac2-8ce3-1e52ca081abc')
79 def test_update_site(self):
80 with self.rbac_utils.override_role(self):
81 LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
82 "is enforced first and if permission is denied, then "
83 "there is no additional enforcement. If permission is "
84 "allowed to `workflow_orchestrator:create_action`, then "
85 "`workflow_orchestrator:action_update_site` is enforced. "
86 " If this test fails, check permissions of both actions.")
87 try:
88 self.shipyard_actions_client.create_action(
89 action="update_site")
90 # Ignore exceptions besides Forbidden
91 except (exceptions.BadRequest, exceptions.NotFound):
92 pass
93
94 @rbac_rule_validation.action(
95 service="shipyard",
96 rules=["workflow_orchestrator:action_update_software"])
97 @decorators.idempotent_id('18fae927-e759-4a60-bceb-81807b9f2c10')
98 def test_update_software(self):
99 with self.rbac_utils.override_role(self):
100 LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
101 "is enforced first and if permission is denied, then "
102 "there is no additional enforcement. If permission is "
103 "allowed to `workflow_orchestrator:create_action`, then "
104 "`workflow_orchestrator:action_update_software` is "
105 "enforced. If this test fails, check permissions of both "
106 "actions.")
107 try:
108 self.shipyard_actions_client.create_action(
109 action="update_software")
110 # Ignore exceptions besides Forbidden
111 except (exceptions.BadRequest, exceptions.NotFound):
112 pass
113
114 @rbac_rule_validation.action(
115 service="shipyard",
116 rules=["workflow_orchestrator:action_redeploy_server"])
117 @decorators.idempotent_id('bba1eb77-c350-4c3b-b62d-3eea8bc13110')
118 def test_redeploy_server(self):
119 with self.rbac_utils.override_role(self):
120 LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
121 "is enforced first and if permission is denied, then "
122 "there is no additional enforcement. If permission is "
123 "allowed to `workflow_orchestrator:create_action`, then "
124 "`workflow_orchestrator:action_redeploy_server` is "
125 "enforced. If this test fails, check permissions of both "
126 "actions.")
127 try:
128 self.shipyard_actions_client.create_action(
129 action="redeploy_server")
130 # Ignore exceptions besides Forbidden
131 except (exceptions.BadRequest, exceptions.NotFound):
132 pass
133
134 @rbac_rule_validation.action(
135 service="shipyard",
52 rules=["workflow_orchestrator:get_action"]) 136 rules=["workflow_orchestrator:get_action"])
53 @decorators.idempotent_id('68e2f10f-0676-41bb-8f47-bc695e1aa536') 137 @decorators.idempotent_id('68e2f10f-0676-41bb-8f47-bc695e1aa536')
54 def test_get_action(self): 138 def test_get_action(self):
diff --git a/airship_tempest_plugin/tests/api/shipyard/rbac/test_site_statuses.py b/airship_tempest_plugin/tests/api/shipyard/rbac/test_site_statuses.py
new file mode 100644
index 0000000..cafcba1
--- /dev/null
+++ b/airship_tempest_plugin/tests/api/shipyard/rbac/test_site_statuses.py
@@ -0,0 +1,39 @@
1# Copyright 2018 AT&T Corp
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15#
16
17from airship_tempest_plugin.tests.api.shipyard.rbac import rbac_base
18
19from patrole_tempest_plugin import rbac_rule_validation
20
21from tempest.lib import decorators
22from tempest.lib import exceptions
23
24
25class SiteStatusesRbacTest(rbac_base.BaseShipyardRbacTest):
26
27 @rbac_rule_validation.action(
28 service="shipyard",
29 rules=["workflow_orchestrator:get_site_statuses"])
30 @decorators.idempotent_id('3fcc69f6-8e15-4062-b582-2e5c366a6dc3')
31 def test_get_site_statuses(self):
32 with self.rbac_utils.override_role(self):
33 # As this is a RBAC test, we only care about whether the role has
34 # permission or not. Role permission is checked prior to validating
35 # the post body, therefore we will ignore a BadRequest exception
36 try:
37 self.shipyard_site_statuses_client.get_site_statuses()
38 except exceptions.BadRequest:
39 pass