104 lines
3.6 KiB
Python
104 lines
3.6 KiB
Python
# Copyright 2017 AT&T Corporation.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import os
|
|
|
|
from tempest import config
|
|
from tempest.tests import base
|
|
|
|
from patrole_tempest_plugin import rbac_role_converter
|
|
|
|
CONF = config.CONF
|
|
|
|
|
|
class RbacPolicyTest(base.TestCase):
|
|
|
|
def setUp(self):
|
|
super(RbacPolicyTest, self).setUp()
|
|
|
|
current_directory = os.path.dirname(os.path.realpath(__file__))
|
|
self.custom_policy_file = os.path.join(current_directory,
|
|
'resources',
|
|
'custom_rbac_policy.json')
|
|
self.admin_policy_file = os.path.join(current_directory,
|
|
'resources',
|
|
'admin_rbac_policy.json')
|
|
|
|
def test_custom_policy(self):
|
|
default_roles = ['zero', 'one', 'two', 'three', 'four',
|
|
'five', 'six', 'seven', 'eight', 'nine']
|
|
|
|
converter = rbac_role_converter.RbacPolicyConverter(
|
|
None, "test", self.custom_policy_file)
|
|
|
|
expected = {
|
|
'policy_action_1': ['two', 'four', 'six', 'eight'],
|
|
'policy_action_2': ['one', 'three', 'five', 'seven', 'nine'],
|
|
'policy_action_3': ['zero'],
|
|
'policy_action_4': ['one', 'two', 'three', 'five', 'seven'],
|
|
'policy_action_5': ['zero', 'one', 'two', 'three', 'four', 'five',
|
|
'six', 'seven', 'eight', 'nine'],
|
|
'policy_action_6': ['eight'],
|
|
}
|
|
|
|
fake_rule = 'fake_rule'
|
|
|
|
for role in default_roles:
|
|
self.assertRaises(KeyError, converter.allowed, fake_rule, role)
|
|
|
|
for rule, role_list in expected.items():
|
|
for role in role_list:
|
|
self.assertTrue(converter.allowed(rule, role))
|
|
for role in set(default_roles) - set(role_list):
|
|
self.assertFalse(converter.allowed(rule, role))
|
|
|
|
def test_admin_policy_file_with_admin_role(self):
|
|
converter = rbac_role_converter.RbacPolicyConverter(
|
|
None, "test", self.admin_policy_file)
|
|
|
|
role = 'admin'
|
|
allowed_rules = [
|
|
'admin_rule'
|
|
]
|
|
disallowed_rules = [
|
|
'is_admin_rule', 'alt_admin_rule', 'non_admin_rule']
|
|
|
|
for rule in allowed_rules:
|
|
allowed = converter.allowed(rule, role)
|
|
self.assertTrue(allowed)
|
|
|
|
for rule in disallowed_rules:
|
|
allowed = converter.allowed(rule, role)
|
|
self.assertFalse(allowed)
|
|
|
|
def test_admin_policy_file_with_member_role(self):
|
|
converter = rbac_role_converter.RbacPolicyConverter(
|
|
None, "test", self.admin_policy_file)
|
|
|
|
role = 'Member'
|
|
allowed_rules = [
|
|
'non_admin_rule'
|
|
]
|
|
disallowed_rules = [
|
|
'admin_rule', 'is_admin_rule', 'alt_admin_rule']
|
|
|
|
for rule in allowed_rules:
|
|
allowed = converter.allowed(rule, role)
|
|
self.assertTrue(allowed)
|
|
|
|
for rule in disallowed_rules:
|
|
allowed = converter.allowed(rule, role)
|
|
self.assertFalse(allowed)
|