Expand Designate RBAC testing - zone transfer req

This patch adds RBAC testing for allowed and disallowed credentials. This is one of a series of patches adding testing. This patch covers the zone transfer request API. Depends-On: https://review.opendev.org/c/openstack/designate/+/836217 Change-Id: I7699e44ced5462267fe45cac78b1ee148f6603f6
2022-04-01 23:08:54 +00:00 · 2022-04-01 23:08:54 +00:00 · 568dc60a27
parent 62c46b9ff6
commit 568dc60a27
2 changed files with 139 additions and 3 deletions
--- a/designate_tempest_plugin/services/dns/v2/json/transfer_request_client.py
+++ b/designate_tempest_plugin/services/dns/v2/json/transfer_request_client.py
@ -103,7 +103,7 @@ class TransferRequestClient(base.DnsClientV2Base):

    @base.handle_errors
    def update_transfer_request(self, uuid, transfer_request_data=None,
-                                params=None):
+                                params=None, headers=None):
        """Update a zone transfer_requests.
        :param uuid: Unique identifier of the zone transfer request in UUID
                     format.
@ -111,13 +111,15 @@ class TransferRequestClient(base.DnsClientV2Base):
                                data for zone transfer request
        :param params: A Python dict that represents the query paramaters to
                       include in the request URI.
+        :param headers (dict): The headers to use for the request.
        :return: Serialized imported zone as a dictionary.
        """
        transfer_request_uri = 'zones/tasks/transfer_requests'
        transfer_request_data = (transfer_request_data or
                                 dns_data_utils.rand_transfer_request_data())
        resp, body = self._update_request(
-            transfer_request_uri, uuid, transfer_request_data, params=params)
+            transfer_request_uri, uuid, transfer_request_data, params=params,
+            headers=headers)

        # Create Transfer request should Return a HTTP 200
        self.expected_success(200, resp.status)
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_request.py
@ -53,7 +53,8 @@ class BaseTransferRequestTest(base.BaseDnsV2Test):


 class TransferRequestTest(BaseTransferRequestTest):
-    credentials = ["primary", "alt", "admin", "system_admin"]
+    credentials = ["primary", "alt", "admin", "system_admin", "system_reader",
+                   "project_member", "project_reader"]

    @classmethod
    def setup_credentials(cls):
@ -83,6 +84,16 @@ class TransferRequestTest(BaseTransferRequestTest):
        zone = self.zone_client.create_zone(name=zone_name)[1]
        self.addCleanup(self.wait_zone_delete, self.zone_client, zone['id'])

+        # Test RBAC
+        expected_allowed = ['os_admin', 'os_primary', 'os_alt']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.append('os_system_admin')
+            expected_allowed.append('os_project_member')
+
+        self.check_CUD_RBAC_enforcement(
+            'TransferRequestClient', 'create_transfer_request',
+            expected_allowed, True, zone['id'])
+
        LOG.info('Create a zone transfer_request')
        transfer_request = self.client.create_transfer_request(zone['id'])[1]
        self.addCleanup(self.client.delete_transfer_request,
@ -147,6 +158,36 @@ class TransferRequestTest(BaseTransferRequestTest):
                 'created transfer_request')
        self.assertExpected(transfer_request, body, self.excluded_keys)

+        # TODO(johnsom) Test reader role once this bug is fixed:
+        #               https://bugs.launchpad.net/tempest/+bug/1964509
+        # Test RBAC
+        # Note: The create service client does not define a target project
+        #       ID, so everyone should be able to see it.
+        expected_allowed = ['os_admin', 'os_primary', 'os_alt']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.extend(['os_system_admin', 'os_system_reader',
+                                     'os_project_member', 'os_project_reader'])
+
+        self.check_list_show_RBAC_enforcement(
+            'TransferRequestClient', 'show_transfer_request', expected_allowed,
+            True, transfer_request['id'])
+
+        # Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed = ['os_system_admin']
+        else:
+            expected_allowed = ['os_admin']
+
+        self.check_list_show_RBAC_enforcement(
+            'TransferRequestClient', 'show_transfer_request', expected_allowed,
+            True, transfer_request['id'], headers=self.all_projects_header)
+        # TODO(johnsom) Move this down to the impersonate test below when the
+        #               bug is resolved and the test is not skipped.
+        self.check_list_show_RBAC_enforcement(
+            'TransferRequestClient', 'show_transfer_request', expected_allowed,
+            True, transfer_request['id'],
+            headers={'x-auth-sudo-project-id': self.client.project_id})
+
    @decorators.idempotent_id('5bed4582-9cfb-11eb-a160-74e5f9e2a801')
    @decorators.skip_because(bug="1926572")
    def test_show_transfer_request_impersonate_another_project(self):
@ -205,6 +246,19 @@ class TransferRequestTest(BaseTransferRequestTest):
                                              "project_id"]
        self.assertExpected(transfer_request, body, excluded_keys)

+        # TODO(johnsom) Test reader role once this bug is fixed:
+        #               https://bugs.launchpad.net/tempest/+bug/1964509
+        # Test RBAC when a transfer target project is specified.
+        expected_allowed = ['os_primary', 'os_alt']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.append('os_system_admin')
+        else:
+            expected_allowed.append('os_admin')
+
+        self.check_list_show_RBAC_enforcement(
+            'TransferRequestClient', 'show_transfer_request', expected_allowed,
+            True, transfer_request['id'])
+
    @decorators.idempotent_id('7d81c487-aa15-44c4-b3e5-424ab9e6a3e5')
    def test_delete_transfer_request(self):
        LOG.info('Create a zone')
@ -219,6 +273,16 @@ class TransferRequestTest(BaseTransferRequestTest):
                        transfer_request['id'],
                        ignore_errors=lib_exc.NotFound)

+        # Test RBAC
+        expected_allowed = ['os_admin', 'os_primary', 'os_alt']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.append('os_system_admin')
+            expected_allowed.append('os_project_member')
+
+        self.check_CUD_RBAC_enforcement(
+            'TransferRequestClient', 'delete_transfer_request',
+            expected_allowed, True, transfer_request['id'])
+
        LOG.info('Delete the transfer_request')
        self.client.delete_transfer_request(transfer_request['id'])
        self.assertRaises(lib_exc.NotFound,
@ -242,6 +306,28 @@ class TransferRequestTest(BaseTransferRequestTest):

        self.assertGreater(len(body['transfer_requests']), 0)

+        # TODO(johnsom) Test reader role once this bug is fixed:
+        #               https://bugs.launchpad.net/tempest/+bug/1964509
+        # Test RBAC - Users that are allowed to call list, but should get
+        #             zero zones.
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed = ['os_system_admin', 'os_system_reader',
+                                'os_admin', 'os_project_member',
+                                'os_project_reader']
+        else:
+            expected_allowed = ['os_alt']
+
+        self.check_list_RBAC_enforcement_count(
+            'TransferRequestClient', 'list_transfer_requests',
+            expected_allowed, 0)
+
+        # Test that users who should see the zone, can see it.
+        expected_allowed = ['os_primary']
+
+        self.check_list_IDs_RBAC_enforcement(
+            'TransferRequestClient', 'list_transfer_requests',
+            expected_allowed, [transfer_request['id']])
+
    @decorators.idempotent_id('db985892-9d02-11eb-a160-74e5f9e2a801')
    def test_list_transfer_requests_all_projects(self):
        LOG.info('Create a Primary zone')
@ -293,6 +379,17 @@ class TransferRequestTest(BaseTransferRequestTest):
                          "Failed, transfer request ID:{} wasn't found in "
                          "listed IDs{}".format(request_id, request_ids))

+        # Test RBAC with x-auth-all-projects
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed = ['os_system_admin']
+        else:
+            expected_allowed = ['os_admin']
+
+        self.check_list_IDs_RBAC_enforcement(
+            'TransferRequestClient', 'list_transfer_requests',
+            expected_allowed, [primary_transfer_request['id']],
+            headers=self.all_projects_header)
+
    @decorators.idempotent_id('bee42f38-e666-4b85-a710-01f40ea1e56a')
    def test_list_transfer_requests_impersonate_another_project(self):
        LOG.info('Create a Primary zone')
@ -328,6 +425,17 @@ class TransferRequestTest(BaseTransferRequestTest):

        self.assertEqual([alt_transfer_request['id']], request_ids)

+        # Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed = ['os_system_admin']
+        else:
+            expected_allowed = ['os_admin']
+
+        self.check_list_IDs_RBAC_enforcement(
+            'TransferRequestClient', 'list_transfer_requests',
+            expected_allowed, [primary_transfer_request['id']],
+            headers={'x-auth-sudo-project-id': self.client.project_id})
+
    @decorators.idempotent_id('de5e9d32-c723-4518-84e5-58da9722cc13')
    def test_update_transfer_request(self):
        LOG.info('Create a zone')
@ -351,6 +459,32 @@ class TransferRequestTest(BaseTransferRequestTest):
        self.assertEqual(data['description'],
                         transfer_request_patch['description'])

+        # Test RBAC
+        expected_allowed = ['os_admin', 'os_primary']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.append('os_system_admin')
+
+        self.check_CUD_RBAC_enforcement(
+            'TransferRequestClient', 'update_transfer_request',
+            expected_allowed, True,
+            transfer_request['id'], transfer_request_data=data)
+
+        # Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
+        expected_allowed = ['os_admin', 'os_primary']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.append('os_system_admin')
+
+        self.check_CUD_RBAC_enforcement(
+            'TransferRequestClient', 'update_transfer_request',
+            expected_allowed, False,
+            transfer_request['id'], transfer_request_data=data,
+            headers=self.all_projects_header)
+        self.check_CUD_RBAC_enforcement(
+            'TransferRequestClient', 'update_transfer_request',
+            expected_allowed, False,
+            transfer_request['id'], transfer_request_data=data,
+            headers={'x-auth-sudo-project-id': self.client.project_id})
+
    @decorators.idempotent_id('73b754a9-e856-4fd6-80ba-e8d1b80f5dfa')
    def test_list_transfer_requests_dot_json_fails(self):
        uri = self.client.get_uri('transfer_requests.json')