Module that implements the decorator which serves as the entry point for
RBAC validation testing. The decorator should be applied to every RBAC test
with the appropriate service
(OpenStack service) and rule
(OpenStack
policy name defined by the service
).
patrole_tempest_plugin.rbac_rule_validation.
_format_extra_target_data
(test_obj, extra_target_data)[source]¶Formats the “extra_target_data” dictionary with correct test data.
Before being formatted, “extra_target_data” is a dictionary that maps a
policy string like “trust.trustor_user_id” to a nested list of
tempest.test.BaseTestCase
attributes. For example, the attribute list
in:
"trust.trustor_user_id": "os.auth_provider.credentials.user_id"
is parsed by iteratively calling getattr
until the value of “user_id”
is resolved. The resulting dictionary returns:
"trust.trustor_user_id": "the user_id of the `os_primary` credential"
Parameters: |
|
---|---|
Returns: | Dictionary containing additional object data needed by
|
patrole_tempest_plugin.rbac_rule_validation.
_get_exception_type
(expected_error_code=403)[source]¶Dynamically calculate the expected exception to be caught.
Dynamically calculate the expected exception to be caught by the test case.
Only Forbidden
and NotFound
exceptions are permitted. NotFound
is supported because Neutron, for security reasons, masks Forbidden
exceptions as NotFound
exceptions.
Parameters: | expected_error_code – the integer representation of the expected
exception to be caught. Must be contained in
_SUPPORTED_ERROR_CODES . |
---|---|
Returns: | tuple of the exception type corresponding to
expected_error_code and a message explaining that a non-Forbidden
exception was expected, if applicable. |
Validates whether current RBAC role has permission to do policy action.
Parameters: |
|
---|---|
Returns: | True if the current RBAC role can perform the policy action, else False. |
Raises: | RbacResourceSetupFailed – If project_id or user_id are missing from the auth_provider attribute in test_obj. |
patrole_tempest_plugin.rbac_rule_validation.
action
(service, rule='', rules=None, expected_error_code=403, expected_error_codes=None, extra_target_data=None)[source]¶A decorator for verifying OpenStack policy enforcement.
A decorator which allows for positive and negative RBAC testing. Given:
rule
) enforced by that service, and[patrole] rbac_test_role
determines whether the test role has sufficient permissions to perform an
API call that enforces the rule
.
This decorator should only be applied to an instance or subclass of
tempest.test.BaseTestCase
.
The result from _is_authorized
is used to determine the expected
test result. The actual test result is determined by running the
Tempest test this decorator applies to.
Below are the following possibilities from comparing the expected and actual results:
RbacUnderPermissionException
exception failure.RbacOverPermissionException
exception failure.As such, negative and positive testing can be applied using this decorator.
Parameters: |
|
---|---|
Raises: |
|
Examples:
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-agents")
def test_list_agents_rbac(self):
# The call to `override_role` is mandatory.
with self.rbac_utils.override_role(self):
self.agents_client.list_agents()
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.