From 39ad28a2a881531939c471b8c8127ca571eb40ab Mon Sep 17 00:00:00 2001 From: Rick Bartra Date: Fri, 23 Aug 2019 11:38:09 -0400 Subject: [PATCH] Add skip check to tests that modify the user source When using an immutable user source, test should skip if the test tries to modify the user source. This includes creating, updating and deleting users. A similar change was merged here: https://review.opendev.org/#/c/670590/ Change-Id: If7c6ae7fc57a4ac256cf668c4075ee86143202ea --- .../api/identity/v3/test_credentials_rbac.py | 9 + .../tests/api/identity/v3/test_groups_rbac.py | 11 + .../tests/api/identity/v3/test_roles_rbac.py | 285 ++++++++++-------- .../tests/api/identity/v3/test_trusts_rbac.py | 4 + .../tests/api/identity/v3/test_users_rbac.py | 11 + 5 files changed, 191 insertions(+), 129 deletions(-) diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py index 185dc8ca..aa77aa3c 100644 --- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py +++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py @@ -45,6 +45,9 @@ class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest): with self.override_role(): self.setup_test_credential(user=user) + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + 'Skipped because environment has an immutable user ' + 'source and solely provides read-only access to users.') @rbac_rule_validation.action(service="keystone", rules=["identity:update_credential"]) @decorators.idempotent_id('cfb05ce3-bffb-496e-a3c2-9515d730da63') @@ -61,6 +64,9 @@ class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest): secret_key=new_keys[1], project_id=credential['project_id']) + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + 'Skipped because environment has an immutable user ' + 'source and solely provides read-only access to users.') @rbac_rule_validation.action(service="keystone", rules=["identity:delete_credential"]) @decorators.idempotent_id('87ab42af-8d41-401b-90df-21e72919fcde') @@ -70,6 +76,9 @@ class IdentityCredentialsV3RbacTest(rbac_base.BaseIdentityV3RbacTest): with self.override_role(): self.creds_client.delete_credential(credential['id']) + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + 'Skipped because environment has an immutable user ' + 'source and solely provides read-only access to users.') @rbac_rule_validation.action(service="keystone", rules=["identity:get_credential"]) @decorators.idempotent_id('1b6eeae6-f1e8-4cdf-8903-1c002b1fc271') diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py index 7fc4a43c..1e79501f 100644 --- a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py +++ b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py @@ -13,12 +13,17 @@ # License for the specific language governing permissions and limitations # under the License. +import testtools + +from tempest import config from tempest.lib.common.utils import data_utils from tempest.lib import decorators from patrole_tempest_plugin import rbac_rule_validation from patrole_tempest_plugin.tests.api.identity import rbac_base +CONF = config.CONF + class IdentityGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest): @@ -82,6 +87,9 @@ class IdentityGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest): with self.override_role(): self.groups_client.add_group_user(group['id'], user['id']) + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + 'Skipped because environment has an immutable user ' + 'source and solely provides read-only access to users.') @rbac_rule_validation.action(service="keystone", rules=["identity:remove_user_from_group"]) @decorators.idempotent_id('8a60d11c-7d2b-47e5-a0f3-9ea900ca66fe') @@ -100,6 +108,9 @@ class IdentityGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest): with self.override_role(): self.groups_client.list_group_users(group['id']) + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + 'Skipped because environment has an immutable user ' + 'source and solely provides read-only access to users.') @rbac_rule_validation.action(service="keystone", rules=["identity:check_user_in_group"]) @decorators.idempotent_id('d3603241-fd87-4a2d-94f9-f32469d1aaba') diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py index 4f447c0f..c93afa1f 100644 --- a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py +++ b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py @@ -13,6 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. +from tempest import config from tempest.lib.common.utils import data_utils from tempest.lib.common.utils import test_utils from tempest.lib import decorators @@ -20,6 +21,8 @@ from tempest.lib import decorators from patrole_tempest_plugin import rbac_rule_validation from patrole_tempest_plugin.tests.api.identity import rbac_base +CONF = config.CONF + class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): @@ -31,7 +34,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): cls.group = cls.setup_test_group() cls.role = cls.setup_test_role() cls.implies_role = cls.setup_test_role() - cls.user = cls.setup_test_user() @rbac_rule_validation.action(service="keystone", rules=["identity:create_role"]) @@ -74,21 +76,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): with self.override_role(): self.roles_client.list_roles() - @rbac_rule_validation.action(service="keystone", - rules=["identity:create_grant"]) - @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d909') - def test_create_user_role_on_project(self): - with self.override_role(): - self.roles_client.create_user_role_on_project( - self.project['id'], - self.user['id'], - self.role['id']) - self.addCleanup(test_utils.call_and_ignore_notfound_exc, - self.roles_client.delete_role_from_user_on_project, - self.project['id'], - self.user['id'], - self.role['id']) - @rbac_rule_validation.action(service="keystone", rules=["identity:create_grant"]) @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90c') @@ -104,21 +91,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): self.group['id'], self.role['id']) - @rbac_rule_validation.action(service="keystone", - rules=["identity:create_grant"]) - @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f') - def test_create_user_role_on_domain(self): - with self.override_role(): - self.roles_client.create_user_role_on_domain( - self.domain['id'], - self.user['id'], - self.role['id']) - self.addCleanup(test_utils.call_and_ignore_notfound_exc, - self.roles_client.delete_role_from_user_on_domain, - self.domain['id'], - self.user['id'], - self.role['id']) - @rbac_rule_validation.action(service="keystone", rules=["identity:create_grant"]) @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d912') @@ -134,46 +106,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): self.group['id'], self.role['id']) - @rbac_rule_validation.action(service="keystone", - rules=["identity:check_grant"]) - @decorators.idempotent_id('22921b1e-1a33-4026-bff9-f236d6dd149c') - def test_check_user_role_existence_on_project(self): - self.roles_client.create_user_role_on_project( - self.project['id'], - self.user['id'], - self.role['id']) - self.addCleanup(test_utils.call_and_ignore_notfound_exc, - self.roles_client.delete_role_from_user_on_project, - self.project['id'], - self.user['id'], - self.role['id']) - - with self.override_role(): - self.roles_client.check_user_role_existence_on_project( - self.project['id'], - self.user['id'], - self.role['id']) - - @decorators.idempotent_id('92f8e67d-85bf-407d-9814-edd5664abc47') - @rbac_rule_validation.action(service="keystone", - rules=["identity:check_grant"]) - def test_check_user_role_existence_on_domain(self): - self.roles_client.create_user_role_on_domain( - self.domain['id'], - self.user['id'], - self.role['id']) - self.addCleanup(test_utils.call_and_ignore_notfound_exc, - self.roles_client.delete_role_from_user_on_domain, - self.domain['id'], - self.user['id'], - self.role['id']) - - with self.override_role(): - self.roles_client.check_user_role_existence_on_domain( - self.domain['id'], - self.user['id'], - self.role['id']) - @decorators.idempotent_id('8738d3d2-8c84-4423-b36c-7c59eaa08b73') @rbac_rule_validation.action(service="keystone", rules=["identity:check_grant"]) @@ -214,26 +146,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): self.group['id'], self.role['id']) - @rbac_rule_validation.action(service="keystone", - rules=["identity:revoke_grant"]) - @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90a') - def test_delete_role_from_user_on_project(self): - self.roles_client.create_user_role_on_project( - self.project['id'], - self.user['id'], - self.role['id']) - self.addCleanup(test_utils.call_and_ignore_notfound_exc, - self.roles_client.delete_role_from_user_on_project, - self.project['id'], - self.user['id'], - self.role['id']) - - with self.override_role(): - self.roles_client.delete_role_from_user_on_project( - self.project['id'], - self.user['id'], - self.role['id']) - @rbac_rule_validation.action(service="keystone", rules=["identity:revoke_grant"]) @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90d') @@ -254,26 +166,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): self.group['id'], self.role['id']) - @rbac_rule_validation.action(service="keystone", - rules=["identity:revoke_grant"]) - @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d910') - def test_delete_role_from_user_on_domain(self): - self.roles_client.create_user_role_on_domain( - self.domain['id'], - self.user['id'], - self.role['id']) - self.addCleanup(test_utils.call_and_ignore_notfound_exc, - self.roles_client.delete_role_from_user_on_domain, - self.domain['id'], - self.user['id'], - self.role['id']) - - with self.override_role(): - self.roles_client.delete_role_from_user_on_domain( - self.domain['id'], - self.user['id'], - self.role['id']) - @rbac_rule_validation.action(service="keystone", rules=["identity:revoke_grant"]) @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d913') @@ -294,15 +186,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): self.group['id'], self.role['id']) - @rbac_rule_validation.action(service="keystone", - rules=["identity:list_grants"]) - @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b') - def test_list_user_roles_on_project(self): - with self.override_role(): - self.roles_client.list_user_roles_on_project( - self.project['id'], - self.user['id']) - @rbac_rule_validation.action(service="keystone", rules=["identity:list_grants"]) @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90e') @@ -312,15 +195,6 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): self.project['id'], self.group['id']) - @rbac_rule_validation.action(service="keystone", - rules=["identity:list_grants"]) - @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911') - def test_list_user_roles_on_domain(self): - with self.override_role(): - self.roles_client.list_user_roles_on_domain( - self.domain['id'], - self.user['id']) - @rbac_rule_validation.action(service="keystone", rules=["identity:list_grants"]) @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d914') @@ -393,3 +267,156 @@ class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest): def test_list_all_role_inference_rules(self): with self.override_role(): self.roles_client.list_all_role_inference_rules() + + +class IdentityRolesUserCreateV3RbacTest(rbac_base.BaseIdentityV3RbacTest): + """Tests identity roles v3 API endpoints that require user creation. + This is in a separate class to better manage immutable user source feature + flag. + """ + + @classmethod + def skip_checks(cls): + super(IdentityRolesUserCreateV3RbacTest, cls).skip_checks() + if CONF.identity_feature_enabled.immutable_user_source: + raise cls.skipException('Skipped because environment has an ' + 'immutable user source and solely ' + 'provides read-only access to users.') + + @classmethod + def resource_setup(cls): + super(IdentityRolesUserCreateV3RbacTest, cls).resource_setup() + cls.domain = cls.setup_test_domain() + cls.project = cls.setup_test_project() + cls.group = cls.setup_test_group() + cls.role = cls.setup_test_role() + cls.implies_role = cls.setup_test_role() + cls.user = cls.setup_test_user() + + @rbac_rule_validation.action(service="keystone", + rules=["identity:create_grant"]) + @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d909') + def test_create_user_role_on_project(self): + with self.override_role(): + self.roles_client.create_user_role_on_project( + self.project['id'], + self.user['id'], + self.role['id']) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + self.roles_client.delete_role_from_user_on_project, + self.project['id'], + self.user['id'], + self.role['id']) + + @rbac_rule_validation.action(service="keystone", + rules=["identity:create_grant"]) + @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f') + def test_create_user_role_on_domain(self): + with self.override_role(): + self.roles_client.create_user_role_on_domain( + self.domain['id'], + self.user['id'], + self.role['id']) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + self.roles_client.delete_role_from_user_on_domain, + self.domain['id'], + self.user['id'], + self.role['id']) + + @rbac_rule_validation.action(service="keystone", + rules=["identity:check_grant"]) + @decorators.idempotent_id('22921b1e-1a33-4026-bff9-f236d6dd149c') + def test_check_user_role_existence_on_project(self): + self.roles_client.create_user_role_on_project( + self.project['id'], + self.user['id'], + self.role['id']) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + self.roles_client.delete_role_from_user_on_project, + self.project['id'], + self.user['id'], + self.role['id']) + + with self.override_role(): + self.roles_client.check_user_role_existence_on_project( + self.project['id'], + self.user['id'], + self.role['id']) + + @decorators.idempotent_id('92f8e67d-85bf-407d-9814-edd5664abc47') + @rbac_rule_validation.action(service="keystone", + rules=["identity:check_grant"]) + def test_check_user_role_existence_on_domain(self): + self.roles_client.create_user_role_on_domain( + self.domain['id'], + self.user['id'], + self.role['id']) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + self.roles_client.delete_role_from_user_on_domain, + self.domain['id'], + self.user['id'], + self.role['id']) + + with self.override_role(): + self.roles_client.check_user_role_existence_on_domain( + self.domain['id'], + self.user['id'], + self.role['id']) + + @rbac_rule_validation.action(service="keystone", + rules=["identity:revoke_grant"]) + @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90a') + def test_delete_role_from_user_on_project(self): + self.roles_client.create_user_role_on_project( + self.project['id'], + self.user['id'], + self.role['id']) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + self.roles_client.delete_role_from_user_on_project, + self.project['id'], + self.user['id'], + self.role['id']) + + with self.override_role(): + self.roles_client.delete_role_from_user_on_project( + self.project['id'], + self.user['id'], + self.role['id']) + + @rbac_rule_validation.action(service="keystone", + rules=["identity:revoke_grant"]) + @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d910') + def test_delete_role_from_user_on_domain(self): + self.roles_client.create_user_role_on_domain( + self.domain['id'], + self.user['id'], + self.role['id']) + self.addCleanup(test_utils.call_and_ignore_notfound_exc, + self.roles_client.delete_role_from_user_on_domain, + self.domain['id'], + self.user['id'], + self.role['id']) + + with self.override_role(): + self.roles_client.delete_role_from_user_on_domain( + self.domain['id'], + self.user['id'], + self.role['id']) + + @rbac_rule_validation.action(service="keystone", + rules=["identity:list_grants"]) + @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b') + def test_list_user_roles_on_project(self): + with self.override_role(): + self.roles_client.list_user_roles_on_project( + self.project['id'], + self.user['id']) + + @rbac_rule_validation.action(service="keystone", + rules=["identity:list_grants"]) + @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911') + def test_list_user_roles_on_domain(self): + with self.override_role(): + self.roles_client.list_user_roles_on_domain( + self.domain['id'], + self.user['id']) diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py index bd34f9e2..23c75c61 100644 --- a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py +++ b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py @@ -35,6 +35,10 @@ class IdentityTrustV3RbacTest(rbac_base.BaseIdentityV3RbacTest): if not CONF.identity_feature_enabled.trust: raise cls.skipException( "%s skipped as trust feature isn't enabled" % cls.__name__) + if CONF.identity_feature_enabled.immutable_user_source: + raise cls.skipException('Skipped because environment has an ' + 'immutable user source and solely ' + 'provides read-only access to users.') @classmethod def resource_setup(cls): diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py index 9f6f028e..0d2a04d0 100644 --- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py +++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py @@ -13,12 +13,17 @@ # License for the specific language governing permissions and limitations # under the License. +import testtools + +from tempest import config from tempest.lib.common.utils import data_utils from tempest.lib import decorators from patrole_tempest_plugin import rbac_rule_validation from patrole_tempest_plugin.tests.api.identity import rbac_base +CONF = config.CONF + class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest): @@ -27,6 +32,8 @@ class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest): super(IdentityUserV3RbacTest, cls).resource_setup() cls.default_user_id = cls.os_primary.credentials.user_id + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + "Configured to use an immutable user source") @rbac_rule_validation.action(service="keystone", rules=["identity:create_user"]) @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d904') @@ -34,6 +41,8 @@ class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest): with self.override_role(): self.setup_test_user() + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + "Configured to use an immutable user source") @rbac_rule_validation.action(service="keystone", rules=["identity:update_user"]) @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d905') @@ -47,6 +56,8 @@ class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest): name=user['name'], email=new_email) + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + "Configured to use an immutable user source") @rbac_rule_validation.action(service="keystone", rules=["identity:delete_user"]) @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d906')