Patrole project is not active anymore and its gate is broken.
We waited for couple of cycle to see if there is any interest
in this project and anyone can maintain it. But we did not get any
new maintainers and current QA team does not have bandwidth/interest
to continue maintaining it.
This project was for RBAc testing which is moving towards unit/functional
tests on service side as well as tempest plugins tests.
In QA 2023.2 PTG, we decided to retire this project
- https://etherpad.opendev.org/p/qa-bobcat-ptg
Change-Id: I7721cf06104e5871ec27cdd87d4608dace60a8b7
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Update hacking extension for newer flake8. Remove vi header check, this
is enabled as H106 already.
Fix problems found.
Change-Id: Ie4ccf0a1075995f5624a838388b6b0b46343129a
- When the URL refers to cloning or using git repositories, use the
cloning URL (https://git.openstack.org/<namespace>/<project>)
- When the URL refers to the browsable version of the repository, point to
the cgit frontend (https://git.openstack.org/cgit/<namespace>/<project>)
Change-Id: Iaeaa153a05aa85b9cf7451ae3c28aec56722222c
This documentation is included in HACKING at the top to let
newcomers know that Patrole's testing scope is confined to the
following projects:
* Cinder
* Glance
* Keystone
* Neutron
* Nova
Depends-On: https://review.openstack.org/#/c/615394
Change-Id: I6f70a6169592fec41de67ecfed6e5ca5b9af0deb
This patch set adds documentation about white box vs block box
testing and their relationship in Patrole. This is so that
devs/test writers understand that Patrole is a bit different than
Tempest and requires digging a bit deeper in the internals of
the API implementation in order to properly test RBAC.
Also removes a misleading link in the README.rst section. The
discussion on member vs. _member_ role is very outdated and
so a link is provided to the RBAC overview section instead which
is concerned with documenting such information.
Change-Id: I0a014c2e917caeb058dd5b5294dd0af2e5e49132
This patch set is a follow up on discussion in [0] which
concluded that Patrole should not test Neutron plugins.
The pertinent discussion from [0] is:
Patrole can test Neutron extensions but not plugins in tree
and that requires renaming the classes
(.*PluginRbacTest => .*ExtRbacTest) to make it clearer.
Having to support all the Neutron plugins in tree is out of scope
for Patrole. Clarifying documentation (which will be done in follow
up) can be added to Patrole documentation to make it clear that
it will only test "main" OpenStack projects, like Tempest.
[0] https://review.openstack.org/#/c/599869/
Change-Id: Iab029f2f875ce2268de12cc2a40e30f2f1a913fe
This patch set introduces a new hacking check called
`no_plugin_rbac_test_suffix_in_plugin_test_class_name` which
is responsible for enforcing that all plugin rbac test classes
end in the correct suffix in order to avoid issues like [0].
Basically, some network plugin rbac tests were skipping because
the regex in .zuul.yaml was not selecting them because the
classes were improperly named. This is to avoid that regression.
Updates documentation with P104 - alias for this new hacking
rule - and adds unit tests to validate its logic.
[0] https://review.openstack.org/#/c/612197/
Change-Id: Ia50edbe5aeb25e57756e9579da8270396bba718c
This patchset adds reviewing documentation to Patrole which
is very similar to Tempest's reviewing documentation, except that
it omits sections that aren't so relevant (like requirements around
docstrings because currently Patrole has no such requirements) but
adds sections related to policy concerns.
Change-Id: I25c3a4b73f1d4f8beb7bce9c694f4bb3f904e038
This is to add documentation on policy feature flags, recently
introduced in [0].
[0] Ia0d9847908a8e723446c16465d68cd7f622c04cc
Depends-On: Ia47132fa596918e58f21ba9810c2c28ddcf0d584
Change-Id: I3e630c535074e3a9ce8e9b07a1909984d70cef12
This is to remove the deprecated switch_role method from
rbac_utils module as it has been replaced by override_role
which is a superior way to manipulate the underlying role used
for querying API endpoints in Tempest.
Change-Id: Ibaffcd8cd0b62ad792b0ef5f9be4d33ec31e8c7a
This patch adds a new per-test logging feature to Patrole
To accomplish this, it adds two new config variables
The logging now prints a log message containing the results of each RBAC
test to a separate log file, as well as to the normal
tempest.log file. This message is of the form:
[Service] <nova, neutron, etc>
[Test] <name of the test's method>
followed by either the result of the test as Allowed/Denied/Error, or
the expected result (from oslopolicy) and then the actual result
There are two new config variables that control this, added in a new
config group called patrole_log:
enable_reporting - defaults to True, which enables this new logging
functionality
report_log_name - defaults to patrole.log, controls the name of the log
the output is written to.
report_log_path - Defaults to the local directory, path (relative or
absolute) where to store the log
Change-Id: Iff2176f1a7c7d10f78b96d748f1d70b222fd5072
Adds unit tests for Patrole hacking checks. Also cleans up
existing Patrole hacking checks for code maintainability.
This commit also modifies the P100 hacking check to work
with arbitrarily many decorators, so that rbac_rule_validation
decorator can be sandwiched between any number of decorators
in any order; the only requirement is that it appear before
each test.
Change-Id: Ic02c9278e5293311dd6f7b02790a256d391098f7
Closes-Bug: #1708794
Adds hacking rule to prevent clients being defined using
"self.client" as a service alias. Doing so makes code difficult to
read and harder to maintain.
Change-Id: I060042d6af743079bdb43623e49dbfeba6f46fad
This patch:
- Adds hacking check to Patrole (executed via tox -e pep8)
- Corrects a few hacking errors
- Adds hacking documentation to Patrole
Change-Id: Id43e24060a5290df91c594df6a38ba0cb239bbaf
Updates patrole's current documentation with improved formatting.
Also updates many sections to add more clarity and detail.
Change-Id: Idebe341e2fcb0ee04db979d41df9bef5395af1b5