Validate omission of expected_error_codes defaults to 403

Add a test that checks that the omission of expected_error_codes defaults to [403] * len(rules). This helps to validate the recent change: https://review.openstack.org/#/c/592935/ Change-Id: I0faa89ab22ab6f811c3d927f76cfb20c2d63012a
2018-08-17 10:29:45 -04:00 · 2018-08-17 10:29:45 -04:00 · 0710e5d6c8
parent 825d79452c
commit 0710e5d6c8
1 changed files with 39 additions and 0 deletions
--- a/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
@ -641,6 +641,7 @@ class RBACRuleValidationTestMultiPolicy(BaseRBACRuleValidationTest):
        m_authority.allowed.assert_has_calls([
            mock.call(rule, CONF.patrole.rbac_test_roles) for rule in rules
        ])
+        m_authority.allowed.reset_mock()

    @mock.patch.object(rbac_rv, 'policy_authority', autospec=True)
    def test_rule_validation_multi_policy_have_permission_success(
@ -826,6 +827,44 @@ class RBACRuleValidationTestMultiPolicy(BaseRBACRuleValidationTest):
        _do_test([True, False, False, True], 'mock.sentinel.action2')
        _do_test([True, False, True, False], 'mock.sentinel.action2')

+    @mock.patch.object(rbac_rv, 'LOG', autospec=True)
+    @mock.patch.object(rbac_rv, 'policy_authority', autospec=True)
+    def test_rule_validation_multi_policy_defaults_to_correct_error_codes(
+            self, mock_authority, mock_log):
+        """Test omission of expected_error_codes defaults to [403] * len(rules)
+        """
+        mock_authority.PolicyAuthority.return_value.allowed.\
+            return_value = False
+        expected_log = "%s: Expecting %d to be raised for policy name: %s"
+
+        # Validate with single rule => expected_error_codes == [403].
+        rules = [mock.sentinel.action1]
+
+        @rbac_rv.action(mock.sentinel.service, rules=rules)
+        def test_policy(*args):
+            raise exceptions.Forbidden()
+
+        test_policy(self.mock_test_args)
+        self._assert_policy_authority_called_with(rules, mock_authority)
+        # Assert that 403 is expected.
+        mock_calls = [x[1] for x in mock_log.debug.mock_calls]
+        self.assertTrue(
+            any([(expected_log, 'test_policy', 403, rules[0]) in mock_calls]))
+
+        # Validate with multiple rules => expected_error_codes == [403, 403].
+        rules = [mock.sentinel.action1, mock.sentinel.action2]
+
+        @rbac_rv.action(mock.sentinel.service, rules=rules)
+        def test_policy(*args):
+            raise exceptions.Forbidden()
+
+        test_policy(self.mock_test_args)
+        self._assert_policy_authority_called_with(rules, mock_authority)
+        # Assert that 403 is expected.
+        mock_calls = [x[1] for x in mock_log.debug.mock_calls]
+        self.assertTrue(
+            any([(expected_log, 'test_policy', 403, rules[0]) in mock_calls]))
+
    def test_prepare_multi_policy_allowed_usages(self):

        def _do_test(rules, ecodes, exp_rules, exp_ecodes):