Add tests to cover segments

This patch set adds tests to cver the neutron segments API [0]. Test lists, gets, creates, updates, and deletes segments. Part of "Increase Neutron RBAC Coverage" initiative [1] [0] https://developer.openstack.org/api-ref/network/v2/index.html#segments [1] https://storyboard.openstack.org/#!/story/2002641 Story: 2002641 Task: 22306 Change-Id: I8eef0dcd5355d6212ead2bcb109f23ca0b613109
2018-07-23 12:13:02 -05:00 · 2018-07-23 12:13:02 -05:00 · d067148212
parent 05a73499ce
commit d067148212
4 changed files with 211 additions and 2 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -1,7 +1,9 @@
 - job:
    name: patrole-base
    parent: devstack-tempest
-    description: Patrole base job for admin and member roles.
+    description: |
+       Patrole base job for admin and member roles. This job executes RBAC tests
+       for all the "core" services that Tempest covers, excluding Swift.
    required-projects:
      - name: openstack/tempest
      - name: openstack/patrole
@ -17,7 +19,7 @@
      - ^setup.cfg$
    vars:
      devstack_localrc:
-        TEMPEST_PLUGINS: "'{{ ansible_user_dir }}/src/git.openstack.org/openstack/patrole'"
+        TEMPEST_PLUGINS: "'/opt/stack/patrole'"
      devstack_plugins:
        patrole: git://git.openstack.org/openstack/patrole.git
      devstack_services:
@ -127,6 +129,47 @@
        # Without Swift, c-bak cannot run (in the gate at least).
        c-bak: false

+- job:
+    name: patrole-plugin-base
+    parent: patrole-base
+    description: |
+         Patrole plugin job for admin and member roles which
+         runs RBAC tests for neutron-tempest-plugin APIs (if the plugin is installed).
+    required-projects:
+      - name: openstack/tempest
+      - name: openstack/patrole
+      - name: openstack/neutron-tempest-plugin
+    vars:
+      devstack_localrc:
+        TEMPEST_PLUGINS: "'/opt/stack/patrole
+                           /opt/stack/neutron-tempest-plugin'"
+      devstack_plugins:
+        neutron: git://git.openstack.org/openstack/neutron.git
+        patrole: git://git.openstack.org/openstack/patrole.git
+        neutron-tempest-plugin: git://git.openstack.org/openstack/neutron-tempest-plugin.git
+      devstack_services:
+        tempest: true
+        neutron: true
+        neutron-segments: true
+
+- job:
+    name: patrole-plugin-member
+    parent: patrole-plugin-base
+    voting: false
+    vars:
+      devstack_localrc:
+        RBAC_TEST_ROLE: member
+      tempest_test_regex: (?=.*PluginRbacTest)(^patrole_tempest_plugin\.tests\.api)
+
+- job:
+    name: patrole-plugin-admin
+    parent: patrole-plugin-base
+    voting: false
+    vars:
+      devstack_localrc:
+        RBAC_TEST_ROLE: admin
+      tempest_test_regex: (?=.*PluginRbacTest)(^patrole_tempest_plugin\.tests\.api)
+
 - project:
    check:
      jobs:
@ -138,6 +181,8 @@
        - patrole-multinode-admin
        - patrole-multinode-member
        - openstack-tox-lower-constraints
+        - patrole-plugin-admin
+        - patrole-plugin-member
    gate:
      jobs:
        - patrole-admin
--- a/patrole_tempest_plugin/tests/api/network/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/network/rbac_base.py
@ -33,3 +33,41 @@ class BaseNetworkRbacTest(rbac_utils.RbacUtilsMixin,
    def setup_clients(cls):
        super(BaseNetworkRbacTest, cls).setup_clients()
        cls.setup_rbac_utils()
+
+
+class BaseNetworkPluginRbacTest(BaseNetworkRbacTest):
+    """Base class to be used with tests that require neutron-tempest-plugin.
+    """
+
+    @classmethod
+    def skip_checks(cls):
+        super(BaseNetworkPluginRbacTest, cls).skip_checks()
+
+        if not cls.is_neutron_tempest_plugin_avaliable():
+            msg = ("neutron-tempest-plugin not installed.")
+            raise cls.skipException(msg)
+
+    @classmethod
+    def is_neutron_tempest_plugin_avaliable(cls):
+        try:
+            import neutron_tempest_plugin  # noqa
+            return True
+        except ImportError:
+            return False
+
+    @classmethod
+    def get_client_manager(cls, credential_type=None, roles=None,
+                           force_new=None):
+        manager = super(BaseNetworkPluginRbacTest, cls).get_client_manager(
+            credential_type=credential_type,
+            roles=roles,
+            force_new=force_new
+        )
+
+        # Import neutron-tempest-plugin clients
+        if cls.is_neutron_tempest_plugin_avaliable():
+            from neutron_tempest_plugin.api import clients
+            neutron_tempest_manager = clients.Manager(manager.credentials)
+            cls.ntp_client = neutron_tempest_manager.network_client
+
+        return manager
--- a/patrole_tempest_plugin/tests/api/network/test_segments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_segments_rbac.py
@ -0,0 +1,119 @@
+# Copyright 2018 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import random
+
+from tempest.common import utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+
+class SegmentsPluginRbacTest(base.BaseNetworkPluginRbacTest):
+
+    @classmethod
+    def skip_checks(cls):
+        super(SegmentsPluginRbacTest, cls).skip_checks()
+        if not utils.is_extension_enabled('segment', 'network'):
+            msg = "segment extension not enabled."
+            raise cls.skipException(msg)
+
+    @classmethod
+    def resource_setup(cls):
+        super(SegmentsPluginRbacTest, cls).resource_setup()
+        cls.network = cls.create_network()
+
+    @classmethod
+    def get_free_segmentation_id(cls):
+        # Select unused segmentation_id to prevent usage conflict
+        segments = cls.ntp_client.list_segments()["segments"]
+        segmentation_ids = [s["segmentation_id"] for s in segments]
+
+        # With 2+ concurrency, tests that ran in the same moment may fail due
+        # to usage conflict. To prevent it we select segmentation to start
+        # randomly.
+        segmentation_id = random.randint(1000, 5000)
+        while segmentation_id in segmentation_ids:
+            segmentation_id += 1
+
+        return segmentation_id
+
+    @classmethod
+    def create_segment(cls, network):
+        segmentation_id = cls.get_free_segmentation_id()
+
+        seg = cls.ntp_client.create_segment(
+            network_id=network['id'], network_type="gre",
+            segmentation_id=segmentation_id)
+        cls.addClassResourceCleanup(
+            test_utils.call_and_ignore_notfound_exc,
+            cls.ntp_client.delete_segment, seg['segment']['id'])
+
+        return seg
+
+    @decorators.idempotent_id('c02618e7-bb20-1a3a-83c8-6eec2af08126')
+    @rbac_rule_validation.action(service="neutron",
+                                 rules=["create_segment"])
+    def test_create_segment(self):
+        """Create segment.
+
+        RBAC test for the neutron "create_segment" policy
+        """
+        with self.rbac_utils.override_role(self):
+            self.create_segment(self.network)
+
+    @decorators.idempotent_id('c02618e7-bb20-1a3a-83c8-6eec2af08127')
+    @rbac_rule_validation.action(service="neutron",
+                                 rules=["get_segment"])
+    def test_show_segment(self):
+        """Show segment.
+
+        RBAC test for the neutron "get_segment" policy
+        """
+        segment = self.create_segment(self.network)
+
+        with self.rbac_utils.override_role(self):
+            self.ntp_client.show_segment(segment['segment']['id'])
+
+    @decorators.idempotent_id('c02618e7-bb20-1a3a-83c8-6eec2af08128')
+    @rbac_rule_validation.action(service="neutron",
+                                 rules=["get_segment",
+                                        "update_segment"])
+    def test_update_segment(self):
+        """Update segment.
+
+        RBAC test for the neutron "update_segment" policy
+        """
+        segment = self.create_segment(self.network)
+
+        with self.rbac_utils.override_role(self):
+            self.ntp_client.update_segment(segment['segment']['id'],
+                                           name="NewName")
+
+    @decorators.idempotent_id('c02618e7-bb20-1a3a-83c8-6eec2af08129')
+    @rbac_rule_validation.action(service="neutron",
+                                 rules=["get_segment",
+                                        "delete_segment"])
+    def test_delete_segment(self):
+        """Delete segment.
+
+        RBAC test for the neutron "delete_segment" policy
+        """
+        segment = self.create_segment(self.network)
+
+        with self.rbac_utils.override_role(self):
+            self.ntp_client.delete_segment(segment['segment']['id'])
--- a/releasenotes/notes/add-neutron-tempest-plugin-clients-c031e232021b390c.yaml
+++ b/releasenotes/notes/add-neutron-tempest-plugin-clients-c031e232021b390c.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    In order to strive toward complete test coverage for the services it
+    tests, Patrole now offers RBAC coverage for the APIs included in
+    neutron-tempest-plugin. If this plugin is not installed or enabled, then
+    Patrole will skip those tests.