openstack
/
patrole
Code Issues Proposed changes

Add skip check to tests that modify the user source 

When using an immutable user source, test should skip if the
test tries to modify the user source. This includes creating,
updating and deleting users. A similar change was merged here:
https://review.opendev.org/#/c/670590/

Change-Id: If7c6ae7fc57a4ac256cf668c4075ee86143202ea
This commit is contained in:
Rick Bartra 2019-08-23 11:38:09 -04:00 committed by Rick Bartra
parent f8923d1ddf
commit 39ad28a2a8
5 changed files with 191 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
View File

@ -45,6 +45,9 @@ class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
with self.override_role():
self.setup_test_credential(user=user)
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an immutable user '
'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:update_credential"])
@decorators.idempotent_id('cfb05ce3-bffb-496e-a3c2-9515d730da63')
@ -61,6 +64,9 @@ class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
secret_key=new_keys[1],
project_id=credential['project_id'])
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an immutable user '
'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:delete_credential"])
@decorators.idempotent_id('87ab42af-8d41-401b-90df-21e72919fcde')
@ -70,6 +76,9 @@ class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
with self.override_role():
self.creds_client.delete_credential(credential['id'])
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an immutable user '
'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:get_credential"])
@decorators.idempotent_id('1b6eeae6-f1e8-4cdf-8903-1c002b1fc271')

11
patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
View File

@ -13,12 +13,17 @@
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
CONF = config.CONF
class IdentityGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@ -82,6 +87,9 @@ class IdentityGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
with self.override_role():
self.groups_client.add_group_user(group['id'], user['id'])
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an immutable user '
'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:remove_user_from_group"])
@decorators.idempotent_id('8a60d11c-7d2b-47e5-a0f3-9ea900ca66fe')
@ -100,6 +108,9 @@ class IdentityGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
with self.override_role():
self.groups_client.list_group_users(group['id'])
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an immutable user '
'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:check_user_in_group"])
@decorators.idempotent_id('d3603241-fd87-4a2d-94f9-f32469d1aaba')

285
patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
View File

@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@ -20,6 +21,8 @@ from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
CONF = config.CONF
class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@ -31,7 +34,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
cls.group = cls.setup_test_group()
cls.role = cls.setup_test_role()
cls.implies_role = cls.setup_test_role()
cls.user = cls.setup_test_user()
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_role"])
@ -74,21 +76,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
with self.override_role():
self.roles_client.list_roles()
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d909')
def test_create_user_role_on_project(self):
with self.override_role():
self.roles_client.create_user_role_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_project,
self.project['id'],
self.user['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90c')
@ -104,21 +91,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
self.group['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
def test_create_user_role_on_domain(self):
with self.override_role():
self.roles_client.create_user_role_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_domain,
self.domain['id'],
self.user['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d912')
@ -134,46 +106,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
self.group['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:check_grant"])
@decorators.idempotent_id('22921b1e-1a33-4026-bff9-f236d6dd149c')
def test_check_user_role_existence_on_project(self):
self.roles_client.create_user_role_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_project,
self.project['id'],
self.user['id'],
self.role['id'])
with self.override_role():
self.roles_client.check_user_role_existence_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
@decorators.idempotent_id('92f8e67d-85bf-407d-9814-edd5664abc47')
@rbac_rule_validation.action(service="keystone",
rules=["identity:check_grant"])
def test_check_user_role_existence_on_domain(self):
self.roles_client.create_user_role_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_domain,
self.domain['id'],
self.user['id'],
self.role['id'])
with self.override_role():
self.roles_client.check_user_role_existence_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
@decorators.idempotent_id('8738d3d2-8c84-4423-b36c-7c59eaa08b73')
@rbac_rule_validation.action(service="keystone",
rules=["identity:check_grant"])
@ -214,26 +146,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
self.group['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:revoke_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90a')
def test_delete_role_from_user_on_project(self):
self.roles_client.create_user_role_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_project,
self.project['id'],
self.user['id'],
self.role['id'])
with self.override_role():
self.roles_client.delete_role_from_user_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:revoke_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90d')
@ -254,26 +166,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
self.group['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:revoke_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d910')
def test_delete_role_from_user_on_domain(self):
self.roles_client.create_user_role_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_domain,
self.domain['id'],
self.user['id'],
self.role['id'])
with self.override_role():
self.roles_client.delete_role_from_user_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:revoke_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d913')
@ -294,15 +186,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
self.group['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:list_grants"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
def test_list_user_roles_on_project(self):
with self.override_role():
self.roles_client.list_user_roles_on_project(
self.project['id'],
self.user['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:list_grants"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90e')
@ -312,15 +195,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
self.project['id'],
self.group['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:list_grants"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
def test_list_user_roles_on_domain(self):
with self.override_role():
self.roles_client.list_user_roles_on_domain(
self.domain['id'],
self.user['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:list_grants"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d914')
@ -393,3 +267,156 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
def test_list_all_role_inference_rules(self):
with self.override_role():
self.roles_client.list_all_role_inference_rules()
class IdentityRolesUserCreateV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
"""Tests identity roles v3 API endpoints that require user creation.
This is in a separate class to better manage immutable user source feature
flag.
"""
@classmethod
def skip_checks(cls):
super(IdentityRolesUserCreateV3RbacTest, cls).skip_checks()
if CONF.identity_feature_enabled.immutable_user_source:
raise cls.skipException('Skipped because environment has an '
'immutable user source and solely '
'provides read-only access to users.')
@classmethod
def resource_setup(cls):
super(IdentityRolesUserCreateV3RbacTest, cls).resource_setup()
cls.domain = cls.setup_test_domain()
cls.project = cls.setup_test_project()
cls.group = cls.setup_test_group()
cls.role = cls.setup_test_role()
cls.implies_role = cls.setup_test_role()
cls.user = cls.setup_test_user()
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d909')
def test_create_user_role_on_project(self):
with self.override_role():
self.roles_client.create_user_role_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_project,
self.project['id'],
self.user['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
def test_create_user_role_on_domain(self):
with self.override_role():
self.roles_client.create_user_role_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_domain,
self.domain['id'],
self.user['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:check_grant"])
@decorators.idempotent_id('22921b1e-1a33-4026-bff9-f236d6dd149c')
def test_check_user_role_existence_on_project(self):
self.roles_client.create_user_role_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_project,
self.project['id'],
self.user['id'],
self.role['id'])
with self.override_role():
self.roles_client.check_user_role_existence_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
@decorators.idempotent_id('92f8e67d-85bf-407d-9814-edd5664abc47')
@rbac_rule_validation.action(service="keystone",
rules=["identity:check_grant"])
def test_check_user_role_existence_on_domain(self):
self.roles_client.create_user_role_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_domain,
self.domain['id'],
self.user['id'],
self.role['id'])
with self.override_role():
self.roles_client.check_user_role_existence_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:revoke_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90a')
def test_delete_role_from_user_on_project(self):
self.roles_client.create_user_role_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_project,
self.project['id'],
self.user['id'],
self.role['id'])
with self.override_role():
self.roles_client.delete_role_from_user_on_project(
self.project['id'],
self.user['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:revoke_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d910')
def test_delete_role_from_user_on_domain(self):
self.roles_client.create_user_role_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role_from_user_on_domain,
self.domain['id'],
self.user['id'],
self.role['id'])
with self.override_role():
self.roles_client.delete_role_from_user_on_domain(
self.domain['id'],
self.user['id'],
self.role['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:list_grants"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
def test_list_user_roles_on_project(self):
with self.override_role():
self.roles_client.list_user_roles_on_project(
self.project['id'],
self.user['id'])
@rbac_rule_validation.action(service="keystone",
rules=["identity:list_grants"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
def test_list_user_roles_on_domain(self):
with self.override_role():
self.roles_client.list_user_roles_on_domain(
self.domain['id'],
self.user['id'])

4
patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
View File

@ -35,6 +35,10 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
if not CONF.identity_feature_enabled.trust:
raise cls.skipException(
"%s skipped as trust feature isn't enabled" % cls.__name__)
if CONF.identity_feature_enabled.immutable_user_source:
raise cls.skipException('Skipped because environment has an '
'immutable user source and solely '
'provides read-only access to users.')
@classmethod
def resource_setup(cls):

11
patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
View File

@ -13,12 +13,17 @@
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
CONF = config.CONF
class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@ -27,6 +32,8 @@ class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
super(IdentityUserV3RbacTest, cls).resource_setup()
cls.default_user_id = cls.os_primary.credentials.user_id
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
"Configured to use an immutable user source")
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_user"])
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d904')
@ -34,6 +41,8 @@ class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
with self.override_role():
self.setup_test_user()
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
"Configured to use an immutable user source")
@rbac_rule_validation.action(service="keystone",
rules=["identity:update_user"])
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d905')
@ -47,6 +56,8 @@ class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
name=user['name'],
email=new_email)
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
"Configured to use an immutable user source")
@rbac_rule_validation.action(service="keystone",
rules=["identity:delete_user"])
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d906')