Reuse tempest to create admin client manager
The previous code doesn't support PreProvisionedCredentialProvider, it was getting admin credentials from tempest config file which are not set when using test_accounts_file. Change-Id: Ia34d08ad659b095a114c27d6d596507f7922149a
This commit is contained in:
parent
b73e1088e0
commit
27f671f1a2
|
@ -21,8 +21,6 @@ import os
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
import stevedore
|
import stevedore
|
||||||
from tempest import clients
|
|
||||||
from tempest.common import credentials_factory as credentials
|
|
||||||
from tempest import config
|
from tempest import config
|
||||||
|
|
||||||
from patrole_tempest_plugin.rbac_authority import RbacAuthority
|
from patrole_tempest_plugin.rbac_authority import RbacAuthority
|
||||||
|
@ -34,6 +32,7 @@ LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
class PolicyAuthority(RbacAuthority):
|
class PolicyAuthority(RbacAuthority):
|
||||||
"""A class that uses ``oslo.policy`` for validating RBAC."""
|
"""A class that uses ``oslo.policy`` for validating RBAC."""
|
||||||
|
os_admin = None
|
||||||
|
|
||||||
def __init__(self, project_id, user_id, service, extra_target_data=None):
|
def __init__(self, project_id, user_id, service, extra_target_data=None):
|
||||||
"""Initialization of Policy Authority class.
|
"""Initialization of Policy Authority class.
|
||||||
|
@ -123,12 +122,10 @@ class PolicyAuthority(RbacAuthority):
|
||||||
|
|
||||||
# Cache the list of available services in memory to avoid needlessly
|
# Cache the list of available services in memory to avoid needlessly
|
||||||
# doing an API call every time.
|
# doing an API call every time.
|
||||||
if not hasattr(cls, 'available_services'):
|
if not hasattr(cls, 'available_services') and cls.os_admin:
|
||||||
admin_mgr = clients.Manager(
|
services_client = (cls.os_admin.identity_services_v3_client
|
||||||
credentials.get_configured_admin_credentials())
|
|
||||||
services_client = (admin_mgr.identity_services_v3_client
|
|
||||||
if CONF.identity_feature_enabled.api_v3
|
if CONF.identity_feature_enabled.api_v3
|
||||||
else admin_mgr.identity_services_client)
|
else cls.os_admin.identity_services_client)
|
||||||
services = services_client.list_services()['services']
|
services = services_client.list_services()['services']
|
||||||
cls.available_services = [s['name'] for s in services]
|
cls.available_services = [s['name'] for s in services]
|
||||||
|
|
||||||
|
|
|
@ -356,9 +356,11 @@ def _is_authorized(test_obj, service, rule, extra_target_data):
|
||||||
else:
|
else:
|
||||||
formatted_target_data = _format_extra_target_data(
|
formatted_target_data = _format_extra_target_data(
|
||||||
test_obj, extra_target_data)
|
test_obj, extra_target_data)
|
||||||
|
policy_authority.PolicyAuthority.os_admin = test_obj.os_admin
|
||||||
authority = policy_authority.PolicyAuthority(
|
authority = policy_authority.PolicyAuthority(
|
||||||
project_id, user_id, service,
|
project_id, user_id, service,
|
||||||
extra_target_data=formatted_target_data)
|
extra_target_data=formatted_target_data)
|
||||||
|
|
||||||
is_allowed = authority.allowed(rule, roles)
|
is_allowed = authority.allowed(rule, roles)
|
||||||
|
|
||||||
if is_allowed:
|
if is_allowed:
|
||||||
|
|
|
@ -20,8 +20,6 @@ import time
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import excutils
|
from oslo_utils import excutils
|
||||||
|
|
||||||
from tempest import clients
|
|
||||||
from tempest.common import credentials_factory as credentials
|
|
||||||
from tempest import config
|
from tempest import config
|
||||||
from tempest.lib import exceptions as lib_exc
|
from tempest.lib import exceptions as lib_exc
|
||||||
|
|
||||||
|
@ -128,6 +126,7 @@ class RbacUtilsMixin(object):
|
||||||
defined by ``CONF.identity.admin_role`` and
|
defined by ``CONF.identity.admin_role`` and
|
||||||
``CONF.patrole.rbac_test_roles``.
|
``CONF.patrole.rbac_test_roles``.
|
||||||
"""
|
"""
|
||||||
|
credentials = ['primary', 'admin']
|
||||||
|
|
||||||
def __init__(self, *args, **kwargs):
|
def __init__(self, *args, **kwargs):
|
||||||
super(RbacUtilsMixin, self).__init__(*args, **kwargs)
|
super(RbacUtilsMixin, self).__init__(*args, **kwargs)
|
||||||
|
@ -159,11 +158,8 @@ class RbacUtilsMixin(object):
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def setup_clients(cls):
|
def setup_clients(cls):
|
||||||
# Intialize the admin roles_client to perform role switching.
|
|
||||||
admin_mgr = clients.Manager(
|
|
||||||
credentials.get_configured_admin_credentials())
|
|
||||||
if CONF.identity_feature_enabled.api_v3:
|
if CONF.identity_feature_enabled.api_v3:
|
||||||
admin_roles_client = admin_mgr.roles_v3_client
|
admin_roles_client = cls.os_admin.roles_v3_client
|
||||||
else:
|
else:
|
||||||
raise lib_exc.InvalidConfiguration(
|
raise lib_exc.InvalidConfiguration(
|
||||||
"Patrole role overriding only supports v3 identity API.")
|
"Patrole role overriding only supports v3 identity API.")
|
||||||
|
|
|
@ -77,7 +77,6 @@ class BaseIdentityRbacTest(rbac_utils.RbacUtilsMixin,
|
||||||
class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
|
class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
|
||||||
|
|
||||||
identity_version = 'v3'
|
identity_version = 'v3'
|
||||||
credentials = ['primary']
|
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def setup_clients(cls):
|
def setup_clients(cls):
|
||||||
|
|
|
@ -23,7 +23,7 @@ from patrole_tempest_plugin.tests.api.identity import rbac_base
|
||||||
|
|
||||||
class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
class IdentityTokenV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
||||||
|
|
||||||
credentials = ['primary', 'alt']
|
credentials = ['primary', 'alt', 'admin']
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def skip_checks(cls):
|
def skip_checks(cls):
|
||||||
|
|
|
@ -27,7 +27,7 @@ CONF = config.CONF
|
||||||
|
|
||||||
class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
|
||||||
|
|
||||||
credentials = ['primary', 'alt']
|
credentials = ['primary', 'alt', 'admin']
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def skip_checks(cls):
|
def skip_checks(cls):
|
||||||
|
|
|
@ -21,7 +21,7 @@ from patrole_tempest_plugin.tests.api.image import rbac_base as base
|
||||||
|
|
||||||
class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):
|
class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):
|
||||||
|
|
||||||
credentials = ['primary', 'alt']
|
credentials = ['primary', 'alt', 'admin']
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def resource_setup(cls):
|
def resource_setup(cls):
|
||||||
|
|
|
@ -19,7 +19,6 @@ from unittest import mock
|
||||||
import fixtures
|
import fixtures
|
||||||
import time
|
import time
|
||||||
|
|
||||||
from tempest.common import credentials_factory as credentials
|
|
||||||
from tempest import config
|
from tempest import config
|
||||||
from tempest import test
|
from tempest import test
|
||||||
|
|
||||||
|
@ -55,6 +54,7 @@ class ConfPatcher(fixtures.Fixture):
|
||||||
|
|
||||||
|
|
||||||
class FakeBaseRbacTest(rbac_utils.RbacUtilsMixin, test.BaseTestCase):
|
class FakeBaseRbacTest(rbac_utils.RbacUtilsMixin, test.BaseTestCase):
|
||||||
|
credentials = []
|
||||||
os_primary = None
|
os_primary = None
|
||||||
|
|
||||||
def runTest(self):
|
def runTest(self):
|
||||||
|
@ -91,13 +91,20 @@ class RbacUtilsMixinFixture(fixtures.Fixture):
|
||||||
# time.sleep is a test optimization.
|
# time.sleep is a test optimization.
|
||||||
self.mock_time = self.patchobject(rbac_utils, 'time',
|
self.mock_time = self.patchobject(rbac_utils, 'time',
|
||||||
__name__='mock_time', spec=time)
|
__name__='mock_time', spec=time)
|
||||||
self.patchobject(credentials, 'get_configured_admin_credentials',
|
|
||||||
spec=object)
|
test_obj_kwargs = {
|
||||||
mock_admin_mgr = self.patchobject(rbac_utils.clients, 'Manager',
|
'credentials.user_id': self.USER_ID,
|
||||||
spec=rbac_utils.clients.Manager,
|
'credentials.tenant_id': self.PROJECT_ID,
|
||||||
roles_v3_client=mock.Mock(),
|
'credentials.project_id': self.PROJECT_ID,
|
||||||
roles_client=mock.Mock())
|
}
|
||||||
self.admin_roles_client = mock_admin_mgr.return_value.roles_v3_client
|
|
||||||
|
class FakeRbacTest(FakeBaseRbacTest):
|
||||||
|
os_primary = mock.Mock()
|
||||||
|
os_admin = mock.Mock()
|
||||||
|
|
||||||
|
FakeRbacTest.os_primary.configure_mock(**test_obj_kwargs)
|
||||||
|
|
||||||
|
self.admin_roles_client = FakeRbacTest.os_admin.roles_v3_client
|
||||||
self.admin_roles_client.list_all_role_inference_rules.return_value = {
|
self.admin_roles_client.list_all_role_inference_rules.return_value = {
|
||||||
"role_inferences": [
|
"role_inferences": [
|
||||||
{
|
{
|
||||||
|
@ -115,22 +122,12 @@ class RbacUtilsMixinFixture(fixtures.Fixture):
|
||||||
set(self._rbac_test_roles))
|
set(self._rbac_test_roles))
|
||||||
self.set_roles(list(default_roles), [])
|
self.set_roles(list(default_roles), [])
|
||||||
|
|
||||||
test_obj_kwargs = {
|
|
||||||
'credentials.user_id': self.USER_ID,
|
|
||||||
'credentials.tenant_id': self.PROJECT_ID,
|
|
||||||
'credentials.project_id': self.PROJECT_ID,
|
|
||||||
}
|
|
||||||
|
|
||||||
class FakeRbacTest(FakeBaseRbacTest):
|
|
||||||
os_primary = mock.Mock()
|
|
||||||
|
|
||||||
FakeRbacTest.os_primary.configure_mock(**test_obj_kwargs)
|
|
||||||
|
|
||||||
FakeRbacTest.setUpClass()
|
FakeRbacTest.setUpClass()
|
||||||
self.test_obj = FakeRbacTest()
|
self.test_obj = FakeRbacTest()
|
||||||
if self._do_reset_mocks:
|
if self._do_reset_mocks:
|
||||||
self.admin_roles_client.reset_mock()
|
self.admin_roles_client.reset_mock()
|
||||||
self.test_obj.os_primary.reset_mock()
|
self.test_obj.os_primary.reset_mock()
|
||||||
|
self.test_obj.os_admin.reset_mock()
|
||||||
self.mock_time.reset_mock()
|
self.mock_time.reset_mock()
|
||||||
|
|
||||||
def set_roles(self, roles, roles_on_project=None):
|
def set_roles(self, roles, roles_on_project=None):
|
||||||
|
|
|
@ -40,11 +40,12 @@ class PolicyAuthorityTest(base.TestCase):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(PolicyAuthorityTest, self).setUp()
|
super(PolicyAuthorityTest, self).setUp()
|
||||||
self.patchobject(policy_authority, 'credentials')
|
|
||||||
m_creds = self.patchobject(policy_authority, 'clients')
|
mock_admin = self.patchobject(policy_authority.PolicyAuthority,
|
||||||
m_creds.Manager().identity_services_client.list_services.\
|
'os_admin')
|
||||||
|
mock_admin.identity_services_client.list_services.\
|
||||||
return_value = self.services
|
return_value = self.services
|
||||||
m_creds.Manager().identity_services_v3_client.list_services.\
|
mock_admin.identity_services_v3_client.list_services.\
|
||||||
return_value = self.services
|
return_value = self.services
|
||||||
|
|
||||||
current_directory = os.path.dirname(os.path.realpath(__file__))
|
current_directory = os.path.dirname(os.path.realpath(__file__))
|
||||||
|
@ -492,11 +493,12 @@ class PolicyAuthorityTest(base.TestCase):
|
||||||
@mock.patch.object(policy_authority, 'policy', autospec=True)
|
@mock.patch.object(policy_authority, 'policy', autospec=True)
|
||||||
@mock.patch.object(policy_authority.PolicyAuthority, 'get_rules',
|
@mock.patch.object(policy_authority.PolicyAuthority, 'get_rules',
|
||||||
autospec=True)
|
autospec=True)
|
||||||
@mock.patch.object(policy_authority, 'clients', autospec=True)
|
@mock.patch.object(policy_authority.PolicyAuthority, 'os_admin',
|
||||||
|
autospec=True)
|
||||||
@mock.patch.object(policy_authority, 'os', autospec=True)
|
@mock.patch.object(policy_authority, 'os', autospec=True)
|
||||||
@mock.patch.object(policy_authority, 'glob', autospec=True)
|
@mock.patch.object(policy_authority, 'glob', autospec=True)
|
||||||
def test_discover_policy_files_with_many_invalid_one_valid(self, m_glob,
|
def test_discover_policy_files_with_many_invalid_one_valid(self, m_glob,
|
||||||
m_os, m_creds,
|
m_os, m_admin,
|
||||||
*args):
|
*args):
|
||||||
service = 'test_service'
|
service = 'test_service'
|
||||||
custom_policy_files = ['foo/%s', 'bar/%s', 'baz/%s']
|
custom_policy_files = ['foo/%s', 'bar/%s', 'baz/%s']
|
||||||
|
@ -506,7 +508,7 @@ class PolicyAuthorityTest(base.TestCase):
|
||||||
m_os.path.isfile.side_effect = [False, False, True]
|
m_os.path.isfile.side_effect = [False, False, True]
|
||||||
|
|
||||||
# Ensure the outer for loop runs only once in `discover_policy_files`.
|
# Ensure the outer for loop runs only once in `discover_policy_files`.
|
||||||
m_creds.Manager().identity_services_v3_client.\
|
m_admin.identity_services_v3_client.\
|
||||||
list_services.return_value = {
|
list_services.return_value = {
|
||||||
'services': [{'name': service}]}
|
'services': [{'name': service}]}
|
||||||
|
|
||||||
|
@ -545,11 +547,11 @@ class PolicyAuthorityTest(base.TestCase):
|
||||||
|
|
||||||
def _test_validate_service(self, v2_services, v3_services,
|
def _test_validate_service(self, v2_services, v3_services,
|
||||||
expected_failure=False, expected_services=None):
|
expected_failure=False, expected_services=None):
|
||||||
with mock.patch.object(
|
with mock.patch.object(policy_authority.PolicyAuthority, 'os_admin',
|
||||||
policy_authority, 'clients', autospec=True) as m_creds:
|
autospec=True) as m_admin:
|
||||||
m_creds.Manager().identity_services_client.list_services.\
|
m_admin.identity_services_client.list_services.\
|
||||||
return_value = v2_services
|
return_value = v2_services
|
||||||
m_creds.Manager().identity_services_v3_client.list_services.\
|
m_admin.identity_services_v3_client.list_services.\
|
||||||
return_value = v3_services
|
return_value = v3_services
|
||||||
|
|
||||||
test_tenant_id = mock.sentinel.tenant_id
|
test_tenant_id = mock.sentinel.tenant_id
|
||||||
|
|
Loading…
Reference in New Issue