189 lines
8.5 KiB
Python
189 lines
8.5 KiB
Python
# Copyright 2018 AT&T Corp
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
|
|
import logging
|
|
|
|
from airship_tempest_plugin.tests.api.shipyard.rbac import rbac_base
|
|
|
|
from patrole_tempest_plugin import rbac_rule_validation
|
|
|
|
from tempest import config
|
|
from tempest.lib import decorators
|
|
from tempest.lib import exceptions
|
|
|
|
CONF = config.CONF
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
class ActionsRbacTest(rbac_base.BaseShipyardRbacTest):
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:list_actions"])
|
|
@decorators.idempotent_id('183dd007-8a97-4070-afc3-9318401ebad7')
|
|
def test_list_actions(self):
|
|
with self.rbac_utils.override_role(self):
|
|
self.shipyard_actions_client.list_actions()
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:create_action"])
|
|
@decorators.idempotent_id('fff43c6f-b6ed-44dd-b47b-02c45d7bdb8c')
|
|
def test_create_action(self):
|
|
with self.rbac_utils.override_role(self):
|
|
# As this is a RBAC test, we only care about whether the role has
|
|
# permission or not. Role permission is checked prior to validating
|
|
# the post body, therefore we will ignore a BadRequest exception
|
|
# and NotFound exception
|
|
try:
|
|
self.shipyard_actions_client.create_action()
|
|
except (exceptions.BadRequest, exceptions.NotFound):
|
|
pass
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:action_deploy_site"])
|
|
@decorators.idempotent_id('e69687da-8d4e-413b-a566-c0e56b5d1087')
|
|
def test_deploy_site(self):
|
|
with self.rbac_utils.override_role(self):
|
|
LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
|
|
"is enforced first and if permission is denied, then "
|
|
"there is no additional enforcement. If permission is "
|
|
"allowed to `workflow_orchestrator:create_action`, then "
|
|
"`workflow_orchestrator:action_deploy_site` is enforced. "
|
|
" If this test fails, check permissions of both actions.")
|
|
try:
|
|
self.shipyard_actions_client.create_action(
|
|
action="deploy_site")
|
|
# Ignore exceptions besides Forbidden
|
|
except (exceptions.BadRequest, exceptions.NotFound):
|
|
pass
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:action_update_site"])
|
|
@decorators.idempotent_id('95f3b377-99ae-4ac2-8ce3-1e52ca081abc')
|
|
def test_update_site(self):
|
|
with self.rbac_utils.override_role(self):
|
|
LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
|
|
"is enforced first and if permission is denied, then "
|
|
"there is no additional enforcement. If permission is "
|
|
"allowed to `workflow_orchestrator:create_action`, then "
|
|
"`workflow_orchestrator:action_update_site` is enforced. "
|
|
" If this test fails, check permissions of both actions.")
|
|
try:
|
|
self.shipyard_actions_client.create_action(
|
|
action="update_site")
|
|
# Ignore exceptions besides Forbidden
|
|
except (exceptions.BadRequest, exceptions.NotFound):
|
|
pass
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:action_update_software"])
|
|
@decorators.idempotent_id('18fae927-e759-4a60-bceb-81807b9f2c10')
|
|
def test_update_software(self):
|
|
with self.rbac_utils.override_role(self):
|
|
LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
|
|
"is enforced first and if permission is denied, then "
|
|
"there is no additional enforcement. If permission is "
|
|
"allowed to `workflow_orchestrator:create_action`, then "
|
|
"`workflow_orchestrator:action_update_software` is "
|
|
"enforced. If this test fails, check permissions of both "
|
|
"actions.")
|
|
try:
|
|
self.shipyard_actions_client.create_action(
|
|
action="update_software")
|
|
# Ignore exceptions besides Forbidden
|
|
except (exceptions.BadRequest, exceptions.NotFound):
|
|
pass
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:action_redeploy_server"])
|
|
@decorators.idempotent_id('bba1eb77-c350-4c3b-b62d-3eea8bc13110')
|
|
def test_redeploy_server(self):
|
|
with self.rbac_utils.override_role(self):
|
|
LOG.warn("In this scenario, `workflow_orchestrator:create_action` "
|
|
"is enforced first and if permission is denied, then "
|
|
"there is no additional enforcement. If permission is "
|
|
"allowed to `workflow_orchestrator:create_action`, then "
|
|
"`workflow_orchestrator:action_redeploy_server` is "
|
|
"enforced. If this test fails, check permissions of both "
|
|
"actions.")
|
|
try:
|
|
self.shipyard_actions_client.create_action(
|
|
action="redeploy_server")
|
|
# Ignore exceptions besides Forbidden
|
|
except (exceptions.BadRequest, exceptions.NotFound):
|
|
pass
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:get_action"])
|
|
@decorators.idempotent_id('68e2f10f-0676-41bb-8f47-bc695e1aa536')
|
|
def test_get_action(self):
|
|
with self.rbac_utils.override_role(self):
|
|
# As this is a RBAC test, we only care about whether the role has
|
|
# permission or not. Role permission is checked prior to validating
|
|
# the post body, therefore we will ignore a NotFound exception
|
|
try:
|
|
self.shipyard_actions_client.get_action()
|
|
except exceptions.NotFound:
|
|
pass
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:get_action_validation"])
|
|
@decorators.idempotent_id('a5156dcd-2674-4295-aa6a-d8db1bd4cf4b')
|
|
def test_get_action_validation(self):
|
|
with self.rbac_utils.override_role(self):
|
|
# As this is a RBAC test, we only care about whether the role has
|
|
# permission or not. Role permission is checked prior to validating
|
|
# the post body, therefore we will ignore a NotFound exception
|
|
try:
|
|
self.shipyard_actions_client.get_action_validation()
|
|
except exceptions.NotFound:
|
|
pass
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:get_action_step"])
|
|
@decorators.idempotent_id('6243d2ff-f88e-41cf-8169-140a551834a4')
|
|
def test_get_action_step(self):
|
|
with self.rbac_utils.override_role(self):
|
|
# As this is a RBAC test, we only care about whether the role has
|
|
# permission or not. Role permission is checked prior to validating
|
|
# the post body, therefore we will ignore a NotFound exception
|
|
try:
|
|
self.shipyard_actions_client.get_action_step()
|
|
except exceptions.NotFound:
|
|
pass
|
|
|
|
@rbac_rule_validation.action(
|
|
service="shipyard",
|
|
rules=["workflow_orchestrator:invoke_action_control"])
|
|
@decorators.idempotent_id('4f6b6564-ff1d-463a-aee8-ed2d51e2a286')
|
|
def test_invoke_action_control(self):
|
|
with self.rbac_utils.override_role(self):
|
|
# As this is a RBAC test, we only care about whether the role has
|
|
# permission or not. Role permission is checked prior to validating
|
|
# the post body, therefore we will ignore a NotFound exception
|
|
try:
|
|
self.shipyard_actions_client.invoke_action_control()
|
|
except exceptions.NotFound:
|
|
pass
|