Refactoring RbacUtils part 3 - documentation
Change the documnentation according to new RbacUtilsMixin Story: 2002604 Task: 22223 Change-Id: I30ab8ea002f9312a5b50e2f2c511ed321a679c00
This commit is contained in:
parent
d3d77ef10c
commit
78e7f57fdb
|
@ -64,7 +64,7 @@ Role Overriding
|
|||
---------------
|
||||
|
||||
Correct role overriding is vital to correct RBAC testing within Patrole. If a
|
||||
test does not call ``rbac_utils.override_role`` within the RBAC test, followed
|
||||
test does not call ``self.override_role()`` within the RBAC test, followed
|
||||
by the API endpoint that enforces the expected policy action, then the test is
|
||||
**not** a valid Patrole test: The API endpoint under test will be performed
|
||||
with admin role, which is always wrong unless ``CONF.patrole.rbac_test_role``
|
||||
|
|
|
@ -80,7 +80,7 @@ Test duplication means:
|
|||
* testing the same policy in more than one test
|
||||
|
||||
For the first bullet, try to avoid calling the same API inside the
|
||||
``self.rbac_utils.override_role`` call.
|
||||
``self.override_role()`` call.
|
||||
|
||||
.. note::
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ Below is an example of multi-policy validation for a carefully chosen Nova API:
|
|||
self.os_admin.servers_client.lock_server(self.server['id'])
|
||||
self.addCleanup(self.servers_client.unlock_server, self.server['id'])
|
||||
|
||||
with self.rbac_utils.override_role(self):
|
||||
with self.override_role():
|
||||
self.servers_client.unlock_server(self.server['id'])
|
||||
|
||||
While the ``expected_error_codes`` parameter is omitted in the example above,
|
||||
|
@ -96,7 +96,7 @@ attribute that is added only following successful policy authorization.
|
|||
# Verify specific fields of a port
|
||||
fields = ['binding:vif_type']
|
||||
|
||||
with self.rbac_utils.override_role(self):
|
||||
with self.override_role():
|
||||
retrieved_port = self.ports_client.show_port(
|
||||
self.port['id'], fields=fields)['port']
|
||||
|
||||
|
@ -131,7 +131,7 @@ A basic Neutron example that only expects 403's to be raised:
|
|||
|
||||
RBAC test for the neutron create_network:router:external policy
|
||||
"""
|
||||
with self.rbac_utils.override_role(self):
|
||||
with self.override_role():
|
||||
self._create_network(router_external=True)
|
||||
|
||||
Note that above the following expected error codes/rules relationship is
|
||||
|
@ -158,7 +158,7 @@ subsequent policy authorization failure:
|
|||
|
||||
RBAC test for the neutron update_network:shared policy
|
||||
"""
|
||||
with self.rbac_utils.override_role(self):
|
||||
with self.override_role():
|
||||
self._update_network(shared_network=True)
|
||||
self.addCleanup(self._update_network, shared_network=False)
|
||||
|
||||
|
|
|
@ -34,7 +34,7 @@ The role workflow is as follows:
|
|||
#. Setup: Admin role is used automatically. The primary credentials are
|
||||
overridden with the admin role.
|
||||
#. Test execution: ``[patrole] rbac_test_roles`` is used manually via the
|
||||
call to ``with rbac_utils.override_role(self)``. Everything that
|
||||
call to ``with self.override_role()``. Everything that
|
||||
is executed within this contextmanager uses the primary
|
||||
credentials overridden with the ``[patrole] rbac_test_roles``.
|
||||
#. Teardown: Admin role is used automatically. The primary credentials have
|
||||
|
@ -68,7 +68,7 @@ Manual role override required.
|
|||
"Test execution" here means calling the API endpoint that enforces the policy
|
||||
action expected by the ``rbac_rule_validation`` decorator. Test execution
|
||||
should be performed *only after* calling
|
||||
``with rbac_utils.override_role(self)``.
|
||||
``with self.override_role()``.
|
||||
|
||||
Immediately after that call, the API endpoint that enforces the policy should
|
||||
be called.
|
||||
|
@ -89,7 +89,7 @@ Example::
|
|||
aggregate_id = self._create_aggregate()
|
||||
# Call the ``override_role`` method so that the primary credentials
|
||||
# have the test role needed for test execution.
|
||||
with self.rbac_utils.override_role(self):
|
||||
with self.override_role():
|
||||
self.aggregates_client.show_aggregate(aggregate_id)
|
||||
|
||||
When using a waiter, do the wait outside the contextmanager. "Waiting" always
|
||||
|
@ -113,7 +113,7 @@ Example using waiter::
|
|||
self.addCleanup(self.servers_client.change_password, self.server['id'],
|
||||
adminPass=original_password)
|
||||
|
||||
with self.rbac_utils.override_role(self):
|
||||
with self.override_role():
|
||||
self.servers_client.change_password(
|
||||
self.server['id'], adminPass=data_utils.rand_password())
|
||||
# Call the waiter outside the ``override_role`` contextmanager, so that
|
||||
|
@ -145,7 +145,7 @@ Incorrect::
|
|||
# Never call a helper function inside the contextmanager that calls a
|
||||
# bunch of APIs. Only call the API that enforces the policy action
|
||||
# contained in the decorator above.
|
||||
with self.rbac_utils.override_role(self):
|
||||
with self.override_role():
|
||||
self._complex_setup_method()
|
||||
|
||||
To fix this test, see the "Example using waiter" section above. It is
|
||||
|
|
|
@ -461,7 +461,7 @@ def _check_for_expected_mismatch_exception(expected_exception,
|
|||
|
||||
|
||||
def _validate_override_role_called(test_obj, actual_exception):
|
||||
"""Validates that :func:`rbac_utils.RbacUtils.override_role` is called
|
||||
"""Validates that :func:`rbac_utils.RbacUtilsMixin.override_role` is called
|
||||
during each Patrole test.
|
||||
|
||||
Useful for validating that the expected exception isn't raised too early
|
||||
|
|
Loading…
Reference in New Issue