From 31c0006ded28255e2502d2975648f1fe603ec127 Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Thu, 12 Sep 2019 22:11:35 +0200 Subject: [PATCH] Add list security group rules API test This test checks that regular user can see all SG rules which belongs to his tenant OR belongs to security group owned by his tenant. This test also ensures that SG rules from different tenants and Security Groups are not visible for regular user. Fix for master branch Depends-On: https://review.opendev.org/681910 Fix for stable/train Depends-On: https://review.opendev.org/688715 Fix for stable/stein Depends-On: https://review.opendev.org/688716 Fix for stable/rocky Depends-On: https://review.opendev.org/688717 Fix for stable/queens Depends-On: https://review.opendev.org/688719 Change-Id: Ic2e97ab8162d10e507ef83b9af0840e7311f0587 Related-Bug: #1824248 --- .../api/test_security_groups.py | 33 +++++++++++++++++++ .../services/network/json/network_client.py | 9 +++++ 2 files changed, 42 insertions(+) diff --git a/neutron_tempest_plugin/api/test_security_groups.py b/neutron_tempest_plugin/api/test_security_groups.py index c2e63da2..67925f7f 100644 --- a/neutron_tempest_plugin/api/test_security_groups.py +++ b/neutron_tempest_plugin/api/test_security_groups.py @@ -76,6 +76,39 @@ class SecGroupTest(base.BaseAdminNetworkTest): self.assertIn( security_group_rule['id'], observerd_security_group_rules_ids) + @decorators.idempotent_id('b5923b1a-4d33-44e1-af25-088dcb55b02b') + def test_list_security_group_rules_contains_all_rules(self): + """Test list security group rules. + + This test checks if all SG rules which belongs to the tenant OR + which belongs to the tenant's security group are listed. + """ + security_group = self.create_security_group() + protocol = random.choice(list(base_security_groups.V4_PROTOCOL_NAMES)) + security_group_rule = self.create_security_group_rule( + security_group=security_group, + project={'id': self.admin_client.tenant_id}, + client=self.admin_client, + protocol=protocol, + direction=constants.INGRESS_DIRECTION) + + # Create also other SG with some custom rule to check that regular user + # can't see this rule + admin_security_group = self.create_security_group( + project={'id': self.admin_client.tenant_id}, + client=self.admin_client) + admin_security_group_rule = self.create_security_group_rule( + security_group=admin_security_group, + project={'id': self.admin_client.tenant_id}, + client=self.admin_client, + protocol=protocol, + direction=constants.INGRESS_DIRECTION) + + rules = self.client.list_security_group_rules()['security_group_rules'] + rules_ids = [rule['id'] for rule in rules] + self.assertIn(security_group_rule['id'], rules_ids) + self.assertNotIn(admin_security_group_rule['id'], rules_ids) + @decorators.idempotent_id('7c0ecb10-b2db-11e6-9b14-000c29248b0d') def test_create_bulk_sec_groups(self): # Creates 2 sec-groups in one request diff --git a/neutron_tempest_plugin/services/network/json/network_client.py b/neutron_tempest_plugin/services/network/json/network_client.py index 521e2be5..ddb6f95d 100644 --- a/neutron_tempest_plugin/services/network/json/network_client.py +++ b/neutron_tempest_plugin/services/network/json/network_client.py @@ -893,6 +893,15 @@ class NetworkClientJSON(service_client.RestClient): self.expected_success(204, resp.status) return service_client.ResponseBody(resp, body) + def list_security_group_rules(self, **kwargs): + uri = '%s/security-group-rules' % self.uri_prefix + if kwargs: + uri += '?' + urlparse.urlencode(kwargs, doseq=1) + resp, body = self.get(uri) + self.expected_success(200, resp.status) + body = jsonutils.loads(body) + return service_client.ResponseBody(resp, body) + def create_security_group_rule(self, direction, security_group_id, **kwargs): post_body = {'security_group_rule': kwargs}