From e7807b4caf37ce47818602759dbf382fb3f0f283 Mon Sep 17 00:00:00 2001 From: Rick Bartra Date: Fri, 17 Aug 2018 17:37:51 -0400 Subject: [PATCH] Complete RBAC test coverage for Shipyard Document Staging API This commmit completes RBAC coverage for Shipyard Document Staging API, for the APIs noted here [0]. For now, the goal is to meet the first use-case of this plugin, which is to test RBAC for Shipyard. With this in mind, for RBAC testing, we only care if a role has permission to an API in question. Therefore, some of the more complex APIs are 'short circuit' tests - meaning only RBAC permissions are checked and other expections are ignored. [0] http://airship-shipyard.readthedocs.io/en/latest/API.html#document-staging-api --- README.rst | 8 +++ airship_tempest_plugin/README.rst | 6 --- .../shipyard/json/document_staging_client.py | 36 +++++++++++++ .../tests/api/common/rbac_roles.yaml | 15 ++++++ .../rbac/test_document_staging_rbac.py | 53 +++++++++++++++++++ 5 files changed, 112 insertions(+), 6 deletions(-) delete mode 100644 airship_tempest_plugin/README.rst diff --git a/README.rst b/README.rst index f028be8..f27f368 100644 --- a/README.rst +++ b/README.rst @@ -4,3 +4,11 @@ Tempest Integration of airship-tempest-plugin The purpose of this plugin is to provide automated tests for all OpenStack Airship components. + +DISCALIMER: +This initial implementation is just to meet the first use case which is RBAC +testing. For RBAC testing, we only need to hit the API endpoint and check +role permission to the API being tested. Some of the REST clients will need to be +rewritten if functional testing is desired. Those that need to be rewritten +are documented in each service client code. + diff --git a/airship_tempest_plugin/README.rst b/airship_tempest_plugin/README.rst deleted file mode 100644 index 1a0edb4..0000000 --- a/airship_tempest_plugin/README.rst +++ /dev/null @@ -1,6 +0,0 @@ -=============================================== -Tempest Integration of airship-tempest-plugin -=============================================== - -This directory contains Tempest tests to cover the airship-tempest-plugin project. - diff --git a/airship_tempest_plugin/services/shipyard/json/document_staging_client.py b/airship_tempest_plugin/services/shipyard/json/document_staging_client.py index 80acae4..353464b 100644 --- a/airship_tempest_plugin/services/shipyard/json/document_staging_client.py +++ b/airship_tempest_plugin/services/shipyard/json/document_staging_client.py @@ -23,6 +23,15 @@ from six.moves.urllib import parse as urllib from tempest.lib.common import rest_client +# NOTE(rb560u): The following will need to be rewritten in the future if +# functional testing is desired: +# - 'def post_configdocs` +# - `def get_configdocs_within_collection` +# - 'def post_commitconfigdocs' +# This initial implementation is just to meet the first use case which is RBAC +# testing. For RBAC testing, we only need to hit the API endpoint and check +# role permission to that API. + class DocumentStagingClient(rest_client.RestClient): api_version = "v1.0" @@ -32,3 +41,30 @@ class DocumentStagingClient(rest_client.RestClient): self.expected_success(200, resp.status) body = json.loads(body) return rest_client.ResponseBody(resp, body) + + def post_configdocs(self): + url = "configdocs/1" + post_body = json.dumps({}) + resp, body = self.post(url, post_body) + self.expected_success(201, resp.status) + body = json.loads(body) + return rest_client.ResponseBody(resp, body) + + def get_configdocs_within_collection(self): + resp, body = self.get('configdocs/1') + self.expected_success(200, resp.status) + body = json.loads(body) + return rest_client.ResponseBody(resp, body) + + def get_renderedconfigdocs(self): + resp, body = self.get('renderedconfigdocs') + self.expected_success(200, resp.status) + body = json.loads(body) + return rest_client.ResponseBody(resp, body) + + def post_commitconfigdocs(self): + post_body = json.dumps({}) + resp, body = self.post("commitconfigdocs", post_body) + self.expected_success(200, resp.status) + body = json.loads(body) + return rest_client.ResponseBody(resp, body) diff --git a/airship_tempest_plugin/tests/api/common/rbac_roles.yaml b/airship_tempest_plugin/tests/api/common/rbac_roles.yaml index 69063c7..4f6fed4 100644 --- a/airship_tempest_plugin/tests/api/common/rbac_roles.yaml +++ b/airship_tempest_plugin/tests/api/common/rbac_roles.yaml @@ -11,3 +11,18 @@ shipyard: - admin - admin_ucp - admin_ucp_viewer + post_configdocs: + - admin + - admin_ucp + get_configdocs_within_collection: + - admin + - admin_ucp + - admin_ucp_viewer + get_renderedconfigdocs: + - admin + - admin_ucp + - admin_ucp_viewer + post_commitconfigdocs: + - admin + - admin_ucp + - admin_ucp_viewer diff --git a/airship_tempest_plugin/tests/api/shipyard/rbac/test_document_staging_rbac.py b/airship_tempest_plugin/tests/api/shipyard/rbac/test_document_staging_rbac.py index 2906cda..26970fa 100644 --- a/airship_tempest_plugin/tests/api/shipyard/rbac/test_document_staging_rbac.py +++ b/airship_tempest_plugin/tests/api/shipyard/rbac/test_document_staging_rbac.py @@ -20,6 +20,7 @@ from patrole_tempest_plugin import rbac_rule_validation from tempest.common import utils from tempest.lib import decorators +from tempest.lib import exceptions from tempest.lib.common.utils import data_utils from tempest.lib.common.utils import test_utils @@ -33,3 +34,55 @@ class DocumentStagingRbacTest(rbac_base.BaseShipyardRbacTest): def test_get_configdocs(self): with self.rbac_utils.override_role(self): self.shipyard_document_staging_client.get_configdocs() + + @rbac_rule_validation.action(service="shipyard", + rules=["post_configdocs"]) + @decorators.idempotent_id('1a0daf92-9dba-470c-a317-66b41c0b3df7') + def test_post_configdocs(self): + with self.rbac_utils.override_role(self): + # As this is a RBAC test, we only care about whether the role has + # permission or not. Role permission is checked prior to validating + # the post body, therefore we will ignore a BadRequest exception + try: + self.shipyard_document_staging_client.post_configdocs() + except exceptions.BadRequest: + pass + + @rbac_rule_validation.action(service="shipyard", + rules=["get_configdocs_within_collection"]) + @decorators.idempotent_id('d64cfa75-3bbe-4688-8849-db5a54ce98ea') + def test_get_configdocs_within_collection(self): + with self.rbac_utils.override_role(self): + # As this is a RBAC test, we only care about whether the role has + # permission or not. Role permission is checked prior to validating + # the post body, therefore we will ignore a NotFound exception + try: + self.shipyard_document_staging_client.get_configdocs_within_collection() + except exceptions.NotFound: + pass + + @rbac_rule_validation.action(service="shipyard", + rules=["get_renderedconfigdocs"]) + @decorators.idempotent_id('0ab53b15-bce9-494f-9a11-34dd2c44d699') + def test_get_renderedconfigdocs(self): + with self.rbac_utils.override_role(self): + # As this is a RBAC test, we only care about whether the role has + # permission or not. Role permission is checked prior to validating + # the post body, therefore we will ignore a NotFound exception + try: + self.shipyard_document_staging_client.get_renderedconfigdocs() + except exceptions.NotFound: + pass + + @rbac_rule_validation.action(service="shipyard", + rules=["post_commitconfigdocs"]) + @decorators.idempotent_id('200d1cbf-ca11-4b92-9cfd-6cd2a90bc919') + def test_post_commitconfigdocs(self): + with self.rbac_utils.override_role(self): + # As this is a RBAC test, we only care about whether the role has + # permission or not. Role permission is checked prior to validating + # the post body, therefore we will ignore a Conflict exception + try: + self.shipyard_document_staging_client.post_commitconfigdocs() + except exceptions.Conflict: + pass