def test_get_flavor_rxtx(self): with self.override_role(): result = self.flavors_client.show_flavor( CONF.compute.flavor_ref)['flavor'] if 'rxtx_factor' not in result: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='rxtx_factor')
def test_show_server_keypair(self): with self.override_role(): result = self.servers_client.show_server( self.server['id'])['server'] if 'key_name' not in result: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='key_name')
def test_list_backup_details_project_attribute(self): with self.override_role(): body = self.backups_client.list_backups(detail=True)['backups'] if self.expected_attr not in body[0]: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=self.expected_attr)
def test_show_server_host_status(self): with self.override_role(): server = self.servers_client.show_server(self.server_id)['server'] if 'host_status' not in server: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='host_status')
def test_show_server_config_drive(self): """Test show server with config_drive property in response body.""" with self.override_role(): body = self.servers_client.show_server(self.server['id'])['server'] expected_attr = 'config_drive' if expected_attr not in body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_show_group_type(self): group_type = self.create_group_type() with self.override_role(): resp_body = self.group_types_client.show_group_type( group_type['id'])['group_type'] if 'group_specs' not in resp_body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='group_specs')
def test_show_backup_project_attribute(self): with self.override_role(): body = self.backups_client.show_backup(self.backup['id'])['backup'] # Show backup API attempts to inject the attribute below into the # response body but only if policy enforcement succeeds. if self.expected_attr not in body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=self.expected_attr)
def test_show_image_includes_image_size(self): with self.override_role(): body = self.compute_images_client.show_image( self.image['id'])['image'] expected_attr = 'OS-EXT-IMG-SIZE:size' if expected_attr not in body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_show_server_extended_availability_zone(self): """Test show server OS-EXT-AZ:availability_zone attr in resp body.""" expected_attr = 'OS-EXT-AZ:availability_zone' with self.override_role(): body = self.servers_client.show_server(self.server['id'])['server'] if expected_attr not in body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_list_servers_with_details_config_drive(self): """Test list servers with config_drive property in response body.""" with self.override_role(): body = self.servers_client.list_servers(detail=True)['servers'] expected_attr = 'config_drive' # If the first server contains "config_drive", then all the others do. if expected_attr not in body[0]: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_list_images_with_details_includes_image_size(self): with self.override_role(): body = self.compute_images_client.list_images( detail=True)['images'] expected_attr = 'OS-EXT-IMG-SIZE:size' if expected_attr not in body[0]: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_create_group_type_group_specs(self): # TODO(felipemonteiro): Combine with ``test_create_group_type`` # once multiple policy testing is supported. This policy is # only enforced after "group:group_types_manage". with self.override_role(): group_type = self.create_group_type(ignore_notfound=True) if 'group_specs' not in group_type: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='group_specs')
def test_show_flavor_contains_is_public_key(self): public_flavor_id = CONF.compute.flavor_ref with self.override_role(): body = self.flavors_client.show_flavor(public_flavor_id)['flavor'] expected_attr = 'os-flavor-access:is_public' if expected_attr not in body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_list_servers_with_details_extended_availability_zone(self): """Test list servers OS-EXT-AZ:availability_zone attr in resp body.""" expected_attr = 'OS-EXT-AZ:availability_zone' with self.override_role(): body = self.servers_client.list_servers(detail=True)['servers'] # If the first server contains `expected_attr`, then all the others do. if expected_attr not in body[0]: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_show_server_extended_volumes(self): """Test show server os-extended-volumes:volumes_attached attr in resp body. """ expected_attr = 'os-extended-volumes:volumes_attached' with self.override_role(): body = self.servers_client.show_server(self.server['id'])['server'] if expected_attr not in body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_show_instance_action(self): """Test show instance action, part of os-instance-actions. Expect "events" details to be included in the response body. """ # NOTE: "os_compute_api:os-instance-actions" is also enforced. request_id = self.server.response['x-compute-request-id'] with self.override_role(): instance_action = self.servers_client.show_instance_action( self.server['id'], request_id)['instanceAction'] if 'events' not in instance_action: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='events') # Microversion 2.51+ returns 'events' always, but not 'traceback'. If # 'traceback' is also present then policy enforcement passed. if 'traceback' not in instance_action['events'][0]: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='events.traceback')
def test_show_server_extended_status(self): """Test show server with extended properties in response body.""" with self.override_role(): body = self.servers_client.show_server(self.server['id'])['server'] expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state', 'OS-EXT-STS:power_state') for attr in expected_attrs: if attr not in body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=attr)
def test_list_servers_extended_status(self): """Test list servers with extended properties in response body.""" with self.override_role(): body = self.servers_client.list_servers(detail=True)['servers'] expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state', 'OS-EXT-STS:power_state') for attr in expected_attrs: if attr not in body[0]: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=attr)
def test_list_servers_with_details_extended_volumes(self): """Test list servers os-extended-volumes:volumes_attached attr in resp body. """ expected_attr = 'os-extended-volumes:volumes_attached' with self.override_role(): body = self.servers_client.list_servers(detail=True)['servers'] if expected_attr not in body[0]: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_list_snapshots_details_with_extended_attributes(self): """List snapshots details with extended attributes.""" expected_attrs = ('os-extended-snapshot-attributes:project_id', 'os-extended-snapshot-attributes:progress') params = {'name': self.snapshot['name']} with self.override_role(): resp = self._list_by_param_values(with_detail=True, **params) for expected_attr in expected_attrs: if expected_attr not in resp[0]: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_show_snapshot_with_extended_attributes(self): """List snapshots with extended attributes.""" expected_attrs = ('os-extended-snapshot-attributes:project_id', 'os-extended-snapshot-attributes:progress') with self.override_role(): resp = self.snapshots_client.show_snapshot( self.snapshot['id'])['snapshot'] for expected_attr in expected_attrs: if expected_attr not in resp: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_show_port_binding_vif_details(self): # Verify specific fields of a port fields = ['binding:vif_details'] with self.override_role(): retrieved_port = self.ports_client.show_port(self.port['id'], fields=fields)['port'] # Rather than throwing a 403, the field is not present, so raise exc. if fields[0] not in retrieved_port: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='binding:vif_details')
def test_show_volume_details_image_metadata(self): self.volumes_client.update_volume_image_metadata( self.volume['id'], image_id=self.image_id) self.addCleanup(self.volumes_client.delete_volume_image_metadata, self.volume['id'], 'image_id') with self.override_role(): resp_body = self.volumes_client.show_volume( self.volume['id'])['volume'] expected_attr = 'volume_image_metadata' if expected_attr not in resp_body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_list_flavors_details_contains_is_public_key(self): expected_attr = 'os-flavor-access:is_public' with self.override_role(): flavors = self.flavors_client.list_flavors(detail=True)['flavors'] # There should already be a public flavor available, namely # `CONF.compute.flavor_ref`. public_flavors = [f for f in flavors if expected_attr in f] # If the `expected_attr` was not found in any flavor, then policy # enforcement failed. if not public_flavors: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_show_server_usage(self): """Test show server usage, part of os-server-usage. TODO(felipemonteiro): Once multiple policy testing is supported, this test should also check for additional policies mentioned here: https://git.openstack.org/cgit/openstack/nova/tree/nova/policies/server_usage.py?h=17.0.0 """ expected_attrs = ('OS-SRV-USG:launched_at', 'OS-SRV-USG:terminated_at') with self.override_role(): body = self.servers_client.show_server(self.server['id'])['server'] for expected_attr in expected_attrs: if expected_attr not in body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=expected_attr)
def test_show_limits(self): # It is enough to check whether any of the following keys below # are in the response body under ['limits']['absolute'], but no harm # in checking for them all. expected_keys = { 'totalVolumesUsed', 'totalGigabytesUsed', 'totalSnapshotsUsed', 'totalBackupsUsed', 'totalBackupGigabytesUsed' } with self.override_role(): absolute_limits = self.volume_limits_client.show_limits( )['limits']['absolute'] for key in expected_keys: if key not in absolute_limits: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=key)
def test_show_distributed_router(self): """Get distributed router RBAC test for the neutron get_router:distributed policy """ router = self.routers_client.create_router(distributed=True)['router'] self.addCleanup(self.routers_client.delete_router, router['id']) with self.override_role(): retrieved_fields = self.routers_client.show_router( router['id'], fields=['distributed'])['router'] # Rather than throwing a 403, the field is not present, so raise exc. if 'distributed' not in retrieved_fields: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='distributed')
def test_show_high_availability_router(self): """GET high-availability router RBAC test for the neutron get_router:ha policy """ router = self.routers_client.create_router(ha=True)['router'] self.addCleanup(self.routers_client.delete_router, router['id']) with self.override_role(): retrieved_fields = self.routers_client.show_router( router['id'], fields=['ha'])['router'] # Rather than throwing a 403, the field is not present, so raise exc. if 'ha' not in retrieved_fields: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='ha')
def test_show_server_extended_server_attributes(self): """Test show server with extended server attributes in response body. """ with self.override_role(): body = self.servers_client.show_server(self.server['id'])['server'] # NOTE(felipemonteiro): The attributes included below should be # returned by all microversions. We don't include tests for other # microversions since Tempest schema validation takes care of that in # `show_server` call above. (Attributes there are *optional*.) for attr in ('host', 'instance_name'): whole_attr = 'OS-EXT-SRV-ATTR:%s' % attr if whole_attr not in body: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute=whole_attr)
def test_show_port_binding_host_id(self): # Verify specific fields of a port fields = ['binding:host_id'] post_body = { 'network': self.network, 'binding:host_id': data_utils.rand_name('host-id') } port = self.create_port(**post_body) with self.override_role(): retrieved_port = self.ports_client.show_port(port['id'], fields=fields)['port'] # Rather than throwing a 403, the field is not present, so raise exc. if fields[0] not in retrieved_port: raise rbac_exceptions.RbacMissingAttributeResponseBody( attribute='binding:host_id')