openstack
/
deb-barbican
Code Issues Proposed changes

Add RBAC tests for orders 

We have RBAC tests for secrets and containers, now adding them for orders.

Change-Id: I09a1d44f2ab07722552ee94d38f3b25ebe1a4e99
This commit is contained in:
Steve Heyman 2015-06-08 14:32:08 -05:00
parent 91bed48d48
commit 4f45662cc6
2 changed files with 224 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
functionaltests/api/v1/behaviors/order_behaviors.py
View File

@ -19,18 +19,22 @@ from functionaltests.api.v1.models import order_models
class OrderBehaviors(base_behaviors.BaseBehaviors):
def create_order(self, model, extra_headers=None, use_auth=True):
def create_order(self, model, extra_headers=None, use_auth=True,
user_name=None, admin=None):
"""Create an order from the data in the model.
:param model: The data used to create the order
:param extra_headers: Optional HTTP headers to add to the request
:param use_auth: Boolean to determine whether auth headers are sent
:param user_name: the user used to do the create
:param admin: the admin of the group to which user_name belongs
:return: The create response and href for the order
"""
# create the order
resp = self.client.post('orders', request_model=model,
extra_headers=extra_headers, use_auth=use_auth)
extra_headers=extra_headers,
user_name=user_name, use_auth=use_auth)
# handle expected JSON parsing errors for unauthenticated requests
if resp.status_code == 401 and not use_auth:
@ -39,26 +43,29 @@ class OrderBehaviors(base_behaviors.BaseBehaviors):
returned_data = self.get_json(resp)
order_ref = returned_data.get('order_ref')
# remember this order for our housekeeping cleanup
# remember this order and its admin for our housekeeping cleanup
if order_ref:
self.created_entities.append(order_ref)
self.created_entities.append((order_ref, admin))
return resp, order_ref
def get_order(self, order_ref, extra_headers=None, use_auth=True):
def get_order(self, order_ref, extra_headers=None, user_name=None,
use_auth=True):
"""Get an order from an href.
:param order_ref: The href for an order
:param extra_headers: Optional HTTP headers to add to the request
:param user_name: the user used to do the get
:param use_auth: Boolean to determine whether auth headers are sent
:return: The response from the get
"""
return self.client.get(order_ref,
response_model_type=order_models.OrderModel,
extra_headers=extra_headers, use_auth=use_auth)
extra_headers=extra_headers,
user_name=user_name, use_auth=use_auth)
def get_orders(self, limit=10, offset=0, name_filter=None,
extra_headers=None, use_auth=True):
extra_headers=None, user_name=None, use_auth=True):
"""Get a list of orders.
:param limit: limits number of returned orders (default 10)
@ -67,6 +74,7 @@ class OrderBehaviors(base_behaviors.BaseBehaviors):
:param name_filter: optional filter to limit the returned secrets to
those whose name matches the filter.
:param extra_headers: Optional HTTP headers to add to the request
:param user_name: the user used to do the get
:param use_auth: Boolean to determine whether auth headers are sent
:return the response, a list of orders and the next/pref hrefs
"""
@ -75,7 +83,8 @@ class OrderBehaviors(base_behaviors.BaseBehaviors):
params['name'] = name_filter
resp = self.client.get('orders', params=params,
extra_headers=extra_headers, use_auth=use_auth)
extra_headers=extra_headers,
user_name=user_name, use_auth=use_auth)
# handle expected JSON parsing errors for unauthenticated requests
if resp.status_code == 401 and not use_auth:
@ -89,7 +98,7 @@ class OrderBehaviors(base_behaviors.BaseBehaviors):
return resp, orders, next_ref, prev_ref
def delete_order(self, order_ref, extra_headers=None, expected_fail=False,
use_auth=True):
user_name=None, use_auth=True):
"""Delete an order.
:param order_ref: HATEOS ref of the order to be deleted
@ -100,17 +109,22 @@ class OrderBehaviors(base_behaviors.BaseBehaviors):
determine whether or not this delete should
also remove an entity from our internal
list for housekeeping.
:param user_name: the user used to do the delete
:param use_auth: Boolean to determine whether auth headers are sent
:return A request response object
"""
resp = self.client.delete(order_ref, extra_headers=extra_headers,
use_auth=use_auth)
user_name=user_name, use_auth=use_auth)
if not expected_fail:
self.created_entities.remove(order_ref)
for item in self.created_entities:
if item[0] == order_ref:
self.created_entities.remove(item)
return resp
def delete_all_created_orders(self):
"""Delete all of the orders that we have created."""
orders_to_delete = [order for order in self.created_entities]
for order_ref in orders_to_delete:
self.delete_order(order_ref)
for (order_ref, admin) in orders_to_delete:
self.delete_order(order_ref, user_name=admin)

197
functionaltests/api/v1/functional/test_orders_rbac.py Normal file
View File

@ -0,0 +1,197 @@
# Copyright (c) 2015 Rackspace
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from barbican.tests import utils
from functionaltests.api import base
from functionaltests.api.v1.behaviors import order_behaviors
from functionaltests.api.v1.models import order_models
from functionaltests.common import config
CONF = config.get_config()
admin_a = CONF.rbac_users.admin_a
creator_a = CONF.rbac_users.creator_a
observer_a = CONF.rbac_users.observer_a
auditor_a = CONF.rbac_users.auditor_a
test_data_rbac_create_order = {
'with_admin_a': {'user': admin_a, 'admin': admin_a,
'expected_return': 202},
'with_creator_a': {'user': creator_a, 'admin': admin_a,
'expected_return': 202},
'with_observer_a': {'user': observer_a, 'admin': admin_a,
'expected_return': 403},
'with_auditor_a': {'user': auditor_a, 'admin': admin_a,
'expected_return': 403},
}
test_data_rbac_get_order = {
'with_admin_a': {'user': admin_a, 'admin': admin_a,
'expected_return': 200},
'with_creator_a': {'user': creator_a, 'admin': admin_a,
'expected_return': 200},
'with_observer_a': {'user': observer_a, 'admin': admin_a,
'expected_return': 200},
'with_auditor_a': {'user': auditor_a, 'admin': admin_a,
'expected_return': 200},
}
test_data_rbac_get_list_of_orders = {
'with_admin_a': {'user': admin_a, 'admin': admin_a,
'expected_return': 200},
'with_creator_a': {'user': creator_a, 'admin': admin_a,
'expected_return': 200},
'with_observer_a': {'user': observer_a, 'admin': admin_a,
'expected_return': 200},
'with_auditor_a': {'user': auditor_a, 'admin': admin_a,
'expected_return': 403},
}
test_data_rbac_delete_order = {
'with_admin_a': {'user': admin_a, 'admin': admin_a,
'expected_return': 204},
'with_creator_a': {'user': creator_a, 'admin': admin_a,
'expected_return': 403},
'with_observer_a': {'user': observer_a, 'admin': admin_a,
'expected_return': 403},
'with_auditor_a': {'user': auditor_a, 'admin': admin_a,
'expected_return': 403},
}
def get_default_order_data():
return {'type': 'key',
"meta": {
"name": "barbican functional test order name",
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
}
}
@utils.parameterized_test_case
class RBACOrdersTestCase(base.TestCase):
"""Functional tests exercising RBAC Policies"""
def setUp(self):
super(RBACOrdersTestCase, self).setUp()
self.order_behaviors = order_behaviors.OrderBehaviors(self.client)
def tearDown(self):
self.order_behaviors.delete_all_created_orders()
super(RBACOrdersTestCase, self).tearDown()
@utils.parameterized_dataset(test_data_rbac_create_order)
def test_rbac_create_order(self, user, admin, expected_return):
"""Test RBAC for order creation
Issue an order creation and verify that that the correct
http return code comes back for the specified user.
:param user: the user who will attempt to do the create
:param admin: the admin of the group containing the user
:param expected_return: the expected http return code
"""
test_model = order_models.OrderModel(**get_default_order_data())
resp, order_ref = self.order_behaviors.create_order(test_model,
user_name=user,
admin=admin)
self.assertEqual(expected_return, resp.status_code)
self.assertEqual(expected_return == 202, order_ref is not None)
@utils.parameterized_dataset(test_data_rbac_get_order)
def test_rbac_get_order(self, user, admin, expected_return):
"""Test RBAC for order get metadata
Issue an order get and verify that that the correct
http return code comes back for the specified user.
The initial order will be created with the admin user to ensure
that it gets created successfully. We don't want the order
create to fail since we are only testing order get here.
:param user: the user who will attempt to do the get
:param admin: the admin of the group containing the user
:param expected_return: the expected http return code
"""
order_ref = self._create_initial_order(admin=admin)
resp = self.order_behaviors.get_order(order_ref, user_name=user)
self.assertEqual(expected_return, resp.status_code)
self.assertEqual(expected_return == 200, resp.content is not None)
@utils.parameterized_dataset(test_data_rbac_get_list_of_orders)
def test_rbac_get_list_of_orders(self, user, admin, expected_return):
"""Test RBAC for get order list
Issue an get order list and verify that that the correct
http return code comes back for the specified user.
Some initial orders will be stored with the admin user to ensure
that they get created successfully. We don't want the order
creates to fail since we are only testing get order list.
:param user: the user who will attempt to get the list of orders
:param admin: the admin of the group containing the user
:param expected_return: the expected http return code
"""
for i in range(3):
order_ref = self._create_initial_order(admin=admin)
self.assertIsNotNone(order_ref)
resp, orders, next, prev = self.order_behaviors.get_orders(
limit=10, offset=0, user_name=user)
self.assertEqual(expected_return, resp.status_code)
self.assertIsNotNone(orders)
@utils.parameterized_dataset(test_data_rbac_delete_order)
def test_rbac_delete_order(self, user, admin, expected_return):
"""Test RBAC for order delete
Issue an order delete and verify that that the correct
http return code comes back for the specified user.
The initial order will be stored with the admin user to ensure
that it gets created successfully. We don't want the order
create to fail since we are only testing order delete here.
:param user: the user who will attempt to do the delete
:param admin: the admin of the group containing the user
:param expected_return: the expected http return code
"""
order_ref = self._create_initial_order(admin=admin)
resp = self.order_behaviors.delete_order(order_ref, user_name=user)
self.assertEqual(expected_return, resp.status_code)
def _create_initial_order(self, admin=admin_a,
order_data=get_default_order_data()):
"""Utility function to create an order
Some tests require a order to exist before they test certain things,
so this function can be used to do that setup.
:param admin: the admin user who will create the order
:param order_data: the data for the order
:return: href to the newly created order
"""
test_model = order_models.OrderModel(**order_data)
resp, order_ref = self.order_behaviors.create_order(test_model,
user_name=admin)
self.assertEqual(202, resp.status_code)
return order_ref