def test_list_all_projects(self): """List All Projects Test RBAC test for Identity 2.0 list_tenants (admin endpoint) There are two separate APIs for listing tenants in the Keystone v2 API: one for admin and one for non-admin. The ``os_admin`` client calls the admin endpoint and the ``os_primary`` client calls the non-admin endpoint. To ensure that the admin endpoint only returns admin-scoped tenants, raise ``RbacActionFailed`` exception otherwise. """ tenants_client = self.os_admin.tenants_client if \ rbac_utils.is_admin() else self.os_primary.tenants_client admin_tenant_id = self.os_admin.credentials.project_id non_admin_tenant_id = self.os_primary.credentials.project_id self.rbac_utils.switch_role(self, toggle_rbac_role=True) tenants = tenants_client.list_tenants()['tenants'] tenant_ids = [t['id'] for t in tenants] if admin_tenant_id not in tenant_ids: raise rbac_exceptions.RbacMalformedResponse( attribute="admin tenant id") if non_admin_tenant_id in tenant_ids: raise rbac_exceptions.RbacMalformedResponse(extra_attr=True)
def test_show_server_keypair(self): self.rbac_utils.switch_role(self, toggle_rbac_role=True) result =\ self.servers_client.show_server(self.server['id'])['server'] if 'key_name' not in result: raise rbac_exceptions.RbacMalformedResponse( attribute='key_name')
def test_get_flavor_rxtx(self): with self.rbac_utils.override_role(self): result = self.flavors_client.show_flavor( CONF.compute.flavor_ref)['flavor'] if 'rxtx_factor' not in result: raise rbac_exceptions.RbacMalformedResponse( attribute='rxtx_factor')
def test_get_flavor_rxtx(self): self.rbac_utils.switch_role(self, toggle_rbac_role=True) result = self.flavors_client.show_flavor( CONF.compute.flavor_ref)['flavor'] if 'rxtx_factor' not in result: raise rbac_exceptions.RbacMalformedResponse( attribute='rxtx_factor')
def test_list_backup_details_project_attribute(self): with self.rbac_utils.override_role(self): body = self.backups_client.list_backups(detail=True)['backups'] if self.expected_attr not in body[0]: raise rbac_exceptions.RbacMalformedResponse( attribute=self.expected_attr)
def test_show_server_host_status(self): self.rbac_utils.switch_role(self, toggle_rbac_role=True) server = self.servers_client.show_server(self.server_id)['server'] if 'host_status' not in server: raise rbac_exceptions.RbacMalformedResponse( attribute='host_status')
def test_show_server_host_status(self): with self.rbac_utils.override_role(self): server = self.servers_client.show_server(self.server_id)['server'] if 'host_status' not in server: raise rbac_exceptions.RbacMalformedResponse( attribute='host_status')
def test_show_group_type(self): group_type = self.create_group_type() with self.rbac_utils.override_role(self): resp_body = self.group_types_client.show_group_type( group_type['id'])['group_type'] if 'group_specs' not in resp_body: raise rbac_exceptions.RbacMalformedResponse( attribute='group_specs')
def test_show_server_config_drive(self): """Test show server with config_drive property in response body.""" with self.rbac_utils.override_role(self): body = self.servers_client.show_server(self.server['id'])['server'] expected_attr = 'config_drive' if expected_attr not in body: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_show_backup_project_attribute(self): with self.rbac_utils.override_role(self): body = self.backups_client.show_backup(self.backup['id'])['backup'] # Show backup API attempts to inject the attribute below into the # response body but only if policy enforcement succeeds. if self.expected_attr not in body: raise rbac_exceptions.RbacMalformedResponse( attribute=self.expected_attr)
def test_list_servers_with_details_config_drive(self): """Test list servers with config_drive property in response body.""" self.rbac_utils.switch_role(self, toggle_rbac_role=True) body = self.servers_client.list_servers(detail=True)['servers'] expected_attr = 'config_drive' # If the first server contains "config_drive", then all the others do. if expected_attr not in body[0]: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_list_security_group_rules(self): with self.rbac_utils.override_role(self): security_rules = self.security_group_rules_client.\ list_security_group_rules() # Neutron may return an empty list if access is denied. if not security_rules['security_group_rules']: raise rbac_exceptions.RbacMalformedResponse(empty=True)
def test_list_images_with_details_includes_image_size(self): with self.rbac_utils.override_role(self): body = self.compute_images_client.list_images(detail=True)[ 'images'] expected_attr = 'OS-EXT-IMG-SIZE:size' if expected_attr not in body[0]: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_show_image_includes_image_size(self): with self.rbac_utils.override_role(self): body = self.compute_images_client.show_image(self.image['id'])[ 'image'] expected_attr = 'OS-EXT-IMG-SIZE:size' if expected_attr not in body: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_show_server_extended_availability_zone(self): """Test show server OS-EXT-AZ:availability_zone attr in resp body.""" expected_attr = 'OS-EXT-AZ:availability_zone' self.rbac_utils.switch_role(self, toggle_rbac_role=True) body = self.servers_client.show_server(self.server['id'])['server'] if expected_attr not in body: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_show_group_type(self): group_type = self.create_group_type() self.rbac_utils.switch_role(self, toggle_rbac_role=True) resp_body = \ self.group_types_client.show_group_type( group_type['id'])['group_type'] if 'group_specs' not in resp_body: raise rbac_exceptions.RbacMalformedResponse( attribute='group_specs')
def test_show_flavor_contains_is_public_key(self): public_flavor_id = CONF.compute.flavor_ref with self.rbac_utils.override_role(self): body = self.flavors_client.show_flavor(public_flavor_id)['flavor'] expected_attr = 'os-flavor-access:is_public' if expected_attr not in body: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_create_group_type_group_specs(self): # TODO(felipemonteiro): Combine with ``test_create_group_type`` # once multiple policy testing is supported. This policy is # only enforced after "group:group_types_manage". self.rbac_utils.switch_role(self, toggle_rbac_role=True) group_type = self.create_group_type(ignore_notfound=True) if 'group_specs' not in group_type: raise rbac_exceptions.RbacMalformedResponse( attribute='group_specs')
def test_list_servers_with_details_extended_availability_zone(self): """Test list servers OS-EXT-AZ:availability_zone attr in resp body.""" expected_attr = 'OS-EXT-AZ:availability_zone' self.rbac_utils.switch_role(self, toggle_rbac_role=True) body = self.servers_client.list_servers(detail=True)['servers'] # If the first server contains `expected_attr`, then all the others do. if expected_attr not in body[0]: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_show_instance_action(self): """Test show instance action, part of os-instance-actions. Expect "events" details to be included in the response body. """ # NOTE: "os_compute_api:os-instance-actions" is also enforced. request_id = self.server.response['x-compute-request-id'] with self.rbac_utils.override_role(self): instance_action = self.servers_client.show_instance_action( self.server['id'], request_id)['instanceAction'] if 'events' not in instance_action: raise rbac_exceptions.RbacMalformedResponse(attribute='events') # Microversion 2.51+ returns 'events' always, but not 'traceback'. If # 'traceback' is also present then policy enforcement passed. if 'traceback' not in instance_action['events'][0]: raise rbac_exceptions.RbacMalformedResponse( attribute='events.traceback')
def test_show_server_extended_status(self): """Test show server with extended properties in response body.""" with self.rbac_utils.override_role(self): body = self.servers_client.show_server(self.server['id'])['server'] expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state', 'OS-EXT-STS:power_state') for attr in expected_attrs: if attr not in body: raise rbac_exceptions.RbacMalformedResponse(attribute=attr)
def test_list_servers_extended_status(self): """Test list servers with extended properties in response body.""" with self.rbac_utils.override_role(self): body = self.servers_client.list_servers(detail=True)['servers'] expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state', 'OS-EXT-STS:power_state') for attr in expected_attrs: if attr not in body[0]: raise rbac_exceptions.RbacMalformedResponse(attribute=attr)
def test_show_server_extended_volumes(self): """Test show server os-extended-volumes:volumes_attached attr in resp body. """ expected_attr = 'os-extended-volumes:volumes_attached' self.rbac_utils.switch_role(self, toggle_rbac_role=True) body = self.servers_client.show_server(self.server['id'])['server'] if expected_attr not in body: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_list_servers_with_details_extended_volumes(self): """Test list servers os-extended-volumes:volumes_attached attr in resp body. """ expected_attr = 'os-extended-volumes:volumes_attached' self.rbac_utils.switch_role(self, toggle_rbac_role=True) body = self.servers_client.list_servers(detail=True)['servers'] if expected_attr not in body[0]: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_list_subnets(self): """List subnets. RBAC test for the neutron "get_subnet" policy """ with self.rbac_utils.override_role(self): subnets = self.subnets_client.list_subnets() # Neutron may return an empty list if access is denied. if not subnets['subnets']: raise rbac_exceptions.RbacMalformedResponse(empty=True)
def test_list_snapshots_details_with_extended_attributes(self): """List snapshots details with extended attributes.""" expected_attrs = ('os-extended-snapshot-attributes:project_id', 'os-extended-snapshot-attributes:progress') params = {'name': self.snapshot['name']} with self.rbac_utils.override_role(self): resp = self._list_by_param_values(with_detail=True, **params) for expected_attr in expected_attrs: if expected_attr not in resp[0]: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_show_snapshot_with_extended_attributes(self): """List snapshots with extended attributes.""" expected_attrs = ('os-extended-snapshot-attributes:project_id', 'os-extended-snapshot-attributes:progress') with self.rbac_utils.override_role(self): resp = self.snapshots_client.show_snapshot( self.snapshot['id'])['snapshot'] for expected_attr in expected_attrs: if expected_attr not in resp: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_show_network_provider_segmentation_id(self): """Show Network Provider Segmentation Id Test RBAC test for the neutron get_network:provider:segmentation_id policy """ kwargs = {'fields': 'provider:segmentation_id'} with self.rbac_utils.override_role(self): retrieved_network = self.networks_client.show_network( self.network['id'], **kwargs)['network'] if len(retrieved_network) == 0: raise rbac_exceptions.RbacMalformedResponse(empty=True)
def test_show_backup_project_attribute(self): volume = self.create_volume() backup = self.create_backup(volume_id=volume['id']) expected_attr = 'os-backup-project-attr:project_id' self.rbac_utils.switch_role(self, toggle_rbac_role=True) body = self.backups_client.show_backup(backup['id'])['backup'] # Show backup API attempts to inject the attribute below into the # response body but only if policy enforcement succeeds. if expected_attr not in body: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)
def test_show_volume_details_image_metadata(self): self.volumes_client.update_volume_image_metadata( self.volume['id'], image_id=self.image_id) self.addCleanup(self.volumes_client.delete_volume_image_metadata, self.volume['id'], 'image_id') with self.rbac_utils.override_role(self): resp_body = self.volumes_client.show_volume( self.volume['id'])['volume'] expected_attr = 'volume_image_metadata' if expected_attr not in resp_body: raise rbac_exceptions.RbacMalformedResponse( attribute=expected_attr)