Adds server security group tests

Adds server security group RBAC tests and updates Nova security group RBAC tests. Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com> Change-Id: I7008e9d489517caa6b8ad743035661a3ab7c93af Closes-Bug: #1687315
2017-05-03 14:23:20 -04:00 · 2017-05-03 14:23:20 -04:00 · 7b761b809a
parent 4aa609ea01
commit 7b761b809a
3 changed files with 137 additions and 16 deletions
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
@ -21,10 +22,54 @@ from patrole_tempest_plugin.tests.api.compute import rbac_base

 class SecurityGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):

+    # Tests in this class will fail with a 404 from microversion 2.36,
+    # according to:
+    # https://developer.openstack.org/api-ref/compute/#security-groups-os-security-groups-deprecated
+    max_microversion = '2.35'
+
    @rbac_rule_validation.action(
        service="nova",
        rule="os_compute_api:os-security-groups")
    @decorators.idempotent_id('4ac58e49-48c1-4fca-a6c3-3f95fb99eb77')
-    def test_server_security_groups(self):
+    def test_list_security_groups(self):
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
        self.security_groups_client.list_security_groups()
+
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-security-groups")
+    @decorators.idempotent_id('e8fe7f5a-69ee-412d-81d3-a8c7a488b54d')
+    def test_create_security_groups(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.create_security_group()['id']
+
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-security-groups")
+    @decorators.idempotent_id('59127e8e-302d-11e7-93ae-92361f002671')
+    def test_delete_security_groups(self):
+        sec_group_id = self.create_security_group()['id']
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.security_groups_client.delete_security_group(sec_group_id)
+
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-security-groups")
+    @decorators.idempotent_id('3de5c6bc-b822-469e-a627-82427d38b067')
+    def test_update_security_groups(self):
+        sec_group_id = self.create_security_group()['id']
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        new_name = data_utils.rand_name()
+        new_desc = data_utils.rand_name()
+        self.security_groups_client.update_security_group(sec_group_id,
+                                                          name=new_name,
+                                                          description=new_desc)
+
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-security-groups")
+    @decorators.idempotent_id('6edc0320-302d-11e7-93ae-92361f002671')
+    def test_show_security_groups(self):
+        sec_group_id = self.create_security_group()['id']
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.security_groups_client.show_security_group(sec_group_id)
--- a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
@ -17,11 +17,11 @@ from oslo_log import log

 from tempest.common import waiters
 from tempest import config
-
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators
 from tempest.lib import exceptions
+from tempest import test

 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
@ -36,14 +36,14 @@ class ComputeServersRbacTest(base.BaseV2ComputeRbacTest):
    @classmethod
    def setup_clients(cls):
        super(ComputeServersRbacTest, cls).setup_clients()
-        cls.client = cls.servers_client
        cls.networks_client = cls.os_primary.networks_client
+        cls.ports_client = cls.os_primary.ports_client
        cls.subnets_client = cls.os_primary.subnets_client

    @classmethod
    def resource_setup(cls):
        super(ComputeServersRbacTest, cls).resource_setup()
-
+        cls.server = cls.create_test_server(wait_until='ACTIVE')
        # Create a volume
        volume_name = data_utils.rand_name(cls.__name__ + '-volume')
        name_field = 'name'
@ -66,7 +66,8 @@ class ComputeServersRbacTest(base.BaseV2ComputeRbacTest):
            self.__class__.__name__ + '-network')

        network = self.networks_client.create_network(
-            **{'name': network_name})['network']
+            name=network_name, port_security_enabled=True)['network']
+        self.addCleanup(self.networks_client.delete_network, network['id'])

        # Create subnet for the network
        subnet_name = data_utils.rand_name(self.__class__.__name__ + '-subnet')
@ -75,11 +76,7 @@ class ComputeServersRbacTest(base.BaseV2ComputeRbacTest):
            network_id=network['id'],
            cidr=CONF.network.project_network_cidr,
            ip_version=4)['subnet']
-
-        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
-                        self.networks_client.delete_network, network['id'])
-        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
-                        self.subnets_client.delete_subnet, subnet['id'])
+        self.addCleanup(self.subnets_client.delete_subnet, subnet['id'])

        return network

@ -134,6 +131,7 @@ class ComputeServersRbacTest(base.BaseV2ComputeRbacTest):
        self.create_test_server(wait_until='ACTIVE',
                                availability_zone=availability_zone)

+    @test.services('volume')
    @rbac_rule_validation.action(
        service="nova",
        rule="os_compute_api:servers:create:attach_volume")
@ -142,20 +140,18 @@ class ComputeServersRbacTest(base.BaseV2ComputeRbacTest):
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
        self._create_test_server_with_volume(self.volume_id)

+    @test.services('network')
    @rbac_rule_validation.action(
        service="nova",
        rule="os_compute_api:servers:create:attach_network")
    @decorators.idempotent_id('b44cd4ff-50a4-42ce-ada3-724e213cd540')
    def test_create_server_attach_network(self):
        network = self._create_network_resources()
-        network_id = {'uuid': network['id']}
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        network_id = {'uuid': network['id']}
        server = self.create_test_server(wait_until='ACTIVE',
                                         networks=[network_id])

-        # The network resources created is for this test case only. We will
-        # clean them up after this test case. In order to do that,
-        # we need to clean up the server first.
        self.addCleanup(waiters.wait_for_server_termination,
                        self.servers_client, server['id'])
        self.addCleanup(self.servers_client.delete_server, server['id'])
@ -175,13 +171,80 @@ class ComputeServersRbacTest(base.BaseV2ComputeRbacTest):
        rule="os_compute_api:servers:update")
    @decorators.idempotent_id('077b17cb-5621-43b9-8adf-5725f0d7a863')
    def test_update_server(self):
-        server = self.create_test_server(wait_until='ACTIVE')
        new_name = data_utils.rand_name(self.__class__.__name__ + '-server')
        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
        try:
-            self.servers_client.update_server(server['id'], name=new_name)
+            self.servers_client.update_server(self.server['id'], name=new_name)
+            waiters.wait_for_server_status(self.os_admin.servers_client,
+                                           self.server['id'], 'ACTIVE')
        except exceptions.ServerFault as e:
            # Some other policy may have blocked it.
            LOG.info("ServerFault exception caught. Some other policy "
                     "blocked updating of server")
            raise rbac_exceptions.RbacActionFailed(e)
+
+
+class SecurtiyGroupsRbacTest(base.BaseV2ComputeRbacTest):
+    """Tests non-deprecated security group policies. Requires network service.
+
+    This class tests non-deprecated policies for adding and removing a security
+    group to and from a server.
+    """
+
+    @classmethod
+    def setup_credentials(cls):
+        # A network and a subnet will be created for these tests.
+        cls.set_network_resources(network=True, subnet=True)
+        super(SecurtiyGroupsRbacTest, cls).setup_credentials()
+
+    @classmethod
+    def skip_checks(cls):
+        super(SecurtiyGroupsRbacTest, cls).skip_checks()
+        # All the tests below require the network service.
+        if not test.get_service_list()['network']:
+            raise cls.skipException(
+                'Skipped because the network service is not available')
+
+    @classmethod
+    def resource_setup(cls):
+        super(SecurtiyGroupsRbacTest, cls).resource_setup()
+        cls.server = cls.create_test_server(wait_until='ACTIVE')
+
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-security-groups")
+    @decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
+    def test_list_security_groups_by_server(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.servers_client.list_security_groups_by_server(self.server['id'])
+
+    @test.attr(type=["slow"])
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-security-groups")
+    @decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
+    def test_create_security_group_for_server(self):
+        sg_name = self.create_security_group()['name']
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.servers_client.add_security_group(self.server['id'], name=sg_name)
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.servers_client.remove_security_group,
+                        self.server['id'], name=sg_name)
+
+    @test.attr(type=["slow"])
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-security-groups")
+    @decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
+    def test_remove_security_group_from_server(self):
+        sg_name = self.create_security_group()['name']
+
+        self.servers_client.add_security_group(self.server['id'], name=sg_name)
+        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+                        self.servers_client.remove_security_group,
+                        self.server['id'], name=sg_name)
+
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.servers_client.remove_security_group(
+            self.server['id'], name=sg_name)
--- a/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml
+++ b/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Add security groups and server security groups
+    tests to Nova RBAC tests.
+fixes:
+  - |
+    Add microversion check to test_security_groups_rbac
+    as tests in this file will fail with a 404 after
+    2.36.
+  - Rename test_server_security_groups to
+    test_list_security_groups to properly reflect the
+    test actually being run.