Add list security group rules API test

This test checks that regular user can see all SG rules which belongs
to his tenant OR belongs to security group owned by his tenant.

This test also ensures that SG rules from different tenants and Security
Groups are not visible for regular user.

Fix for master branch
Depends-On: https://review.opendev.org/681910

Fix for stable/train
Depends-On: https://review.opendev.org/688715

Fix for stable/stein
Depends-On: https://review.opendev.org/688716

Fix for stable/rocky
Depends-On: https://review.opendev.org/688717

Fix for stable/queens
Depends-On: https://review.opendev.org/688719

Change-Id: Ic2e97ab8162d10e507ef83b9af0840e7311f0587
Related-Bug: #1824248
This commit is contained in:
Slawek Kaplonski 2019-09-12 22:11:35 +02:00
parent 15c85f6509
commit 31c0006ded
2 changed files with 42 additions and 0 deletions

View File

@ -76,6 +76,39 @@ class SecGroupTest(base.BaseAdminNetworkTest):
self.assertIn(
security_group_rule['id'], observerd_security_group_rules_ids)
@decorators.idempotent_id('b5923b1a-4d33-44e1-af25-088dcb55b02b')
def test_list_security_group_rules_contains_all_rules(self):
"""Test list security group rules.
This test checks if all SG rules which belongs to the tenant OR
which belongs to the tenant's security group are listed.
"""
security_group = self.create_security_group()
protocol = random.choice(list(base_security_groups.V4_PROTOCOL_NAMES))
security_group_rule = self.create_security_group_rule(
security_group=security_group,
project={'id': self.admin_client.tenant_id},
client=self.admin_client,
protocol=protocol,
direction=constants.INGRESS_DIRECTION)
# Create also other SG with some custom rule to check that regular user
# can't see this rule
admin_security_group = self.create_security_group(
project={'id': self.admin_client.tenant_id},
client=self.admin_client)
admin_security_group_rule = self.create_security_group_rule(
security_group=admin_security_group,
project={'id': self.admin_client.tenant_id},
client=self.admin_client,
protocol=protocol,
direction=constants.INGRESS_DIRECTION)
rules = self.client.list_security_group_rules()['security_group_rules']
rules_ids = [rule['id'] for rule in rules]
self.assertIn(security_group_rule['id'], rules_ids)
self.assertNotIn(admin_security_group_rule['id'], rules_ids)
@decorators.idempotent_id('7c0ecb10-b2db-11e6-9b14-000c29248b0d')
def test_create_bulk_sec_groups(self):
# Creates 2 sec-groups in one request

View File

@ -893,6 +893,15 @@ class NetworkClientJSON(service_client.RestClient):
self.expected_success(204, resp.status)
return service_client.ResponseBody(resp, body)
def list_security_group_rules(self, **kwargs):
uri = '%s/security-group-rules' % self.uri_prefix
if kwargs:
uri += '?' + urlparse.urlencode(kwargs, doseq=1)
resp, body = self.get(uri)
self.expected_success(200, resp.status)
body = jsonutils.loads(body)
return service_client.ResponseBody(resp, body)
def create_security_group_rule(self, direction, security_group_id,
**kwargs):
post_body = {'security_group_rule': kwargs}