Secure RBAC Test

Enforce/test the state of each policy's engagement for baremetal nodes, project reader and system reader. The tests use a try clause, catches the exception and checks the response status code match what is expected. Change-Id: I0b5f8eb881462f5d78f65bd37fbb8b296d9880eb
2022-05-18 12:41:29 -07:00 · 2022-05-18 12:41:29 -07:00 · e4756405cd
parent 5952cbd6da
commit e4756405cd
4 changed files with 1378 additions and 0 deletions
--- a/ironic_tempest_plugin/services/baremetal/v1/json/baremetal_client.py
+++ b/ironic_tempest_plugin/services/baremetal/v1/json/baremetal_client.py
@ -601,6 +601,19 @@ class BaremetalClient(base.BaremetalClient):
        return self._put_request('nodes/%s/states/power' % node_uuid,
                                 target)

+    @base.handle_errors
+    def set_node_state(self, node_uuid, state, target):
+        """Set state for the specified node.
+
+        :param node_uuid: The unique identifier of the node.
+        :param state: The desired state to set.
+        :param target: The target state
+
+        """
+        target = {'target': target}
+        return self._put_request('nodes/%s/states/%s' % (node_uuid, state),
+                                 target)
+
    @base.handle_errors
    def set_node_provision_state(self, node_uuid, state, configdrive=None,
                                 clean_steps=None, rescue_password=None):
@ -680,6 +693,38 @@ class BaremetalClient(base.BaremetalClient):
        self.expected_success(http_client.OK, resp.status)
        return body

+    @base.handle_errors
+    def set_node_indicator_state(self, node_uuid, component, ind_ident, state):
+        """Get the current indicator state
+
+        :param node_uuid: The unique identifier of the node.
+        :param component: The Bare Metal node component.
+        :param ind_ident: The indicator of a Bare Metal component.
+        :param state: The state of an indicator of the component of the node.
+                        Possible values are: OFF, ON, BLINKING or UNKNOWN.
+
+        """
+        resp, body = self._put_request('nodes/%s/management/indicators/%s/%s'
+                                       % (node_uuid, component, ind_ident),
+                                       state)
+        self.expected_success(http_client.OK, resp.status)
+        return body
+
+    @base.handle_errors
+    def get_node_indicator_state(self, node_uuid, component, ind_ident):
+        """Get the current indicator state
+
+        :param node_uuid: The unique identifier of the node.
+        :param component: The Bare Metal node component.
+        :param ind_ident: The indicator of a Bare Metal component.
+
+        """
+        path = 'nodes/%s/management/indicators/%s/%s' % (node_uuid, component,
+                                                         ind_ident)
+        resp, body = self._list_request(path)
+        self.expected_success(http_client.OK, resp.status)
+        return body
+
    @base.handle_errors
    def get_node_supported_boot_devices(self, node_uuid):
        """Get the supported boot devices of the specified node.
@ -864,3 +909,39 @@ class BaremetalClient(base.BaremetalClient):

        """
        return self._delete_request('allocations', allocation_ident)
+
+    @base.handle_errors
+    def list_node_history(self, node_uuid):
+        """List history entries for a node.
+
+        :param node_uuid: The unique identifier of the node.
+        """
+        return self._list_request('/nodes/%s/history' % node_uuid)
+
+    @base.handle_errors
+    def list_vendor_passthru_methods(self, node_uuid):
+        """List vendor-specific extensions (passthru) methods for a node
+
+        :param node_uuid: The unique identifier of the node.
+        """
+        return self._list_request('/nodes/%s/vendor_passthru/methods'
+                                  % node_uuid)
+
+    @base.handle_errors
+    def ipa_heartbeat(self, node_uuid, callback_url, agent_token,
+                      agent_version):
+        """Create a IPA heartbeat from the given body.
+
+        :param node_uuid: The unique identifier of the node.
+        :param callback_url: The URL of an active ironic-python-agent ramdisk
+        :param agent_token: The token of the ironic-python-agent ramdisk
+        :param agent_version: The version of the ironic-python-agent ramdisk
+        """
+        kwargs = {
+            'node_ident': node_uuid,
+            'callback_url': callback_url,
+            'agent_version': agent_version,
+            'agent_token': agent_token,
+        }
+
+        return self._create_request_no_response_body('heartbeat', kwargs)
--- a/ironic_tempest_plugin/tests/api/base.py
+++ b/ironic_tempest_plugin/tests/api/base.py
@ -482,3 +482,16 @@ class BaseBaremetalTest(api_version_utils.BaseMicroversionTest,
        """
        resp, body = cls.client.create_allocation(resource_class, **kwargs)
        return resp, body
+
+
+class BaseBaremetalRBACTest(BaseBaremetalTest):
+
+    # Unless otherwise superceeded by a version, RBAC tests generally start at
+    # version 1.70 as that is when System scope and the delineation occured.
+    min_microversion = '1.70'
+
+    @classmethod
+    def skip_checks(cls):
+        super(BaseBaremetalRBACTest, cls).skip_checks()
+        if not CONF.enforce_scope.ironic:
+            raise cls.skipException('RBAC tests for Ironic are not enabled.')
--- a/ironic_tempest_plugin/tests/api/rbac_defaults/init.py
+++ b/ironic_tempest_plugin/tests/api/rbac_defaults/init.py
--- a/ironic_tempest_plugin/tests/api/rbac_defaults/test_nodes.py
+++ b/ironic_tempest_plugin/tests/api/rbac_defaults/test_nodes.py