def test_list_all_projects(self):
"""List All Projects Test
RBAC test for Identity 2.0 list_tenants (admin endpoint)
There are two separate APIs for listing tenants in the Keystone
v2 API: one for admin and one for non-admin. The ``os_admin`` client
calls the admin endpoint and the ``os_primary`` client calls the
non-admin endpoint. To ensure that the admin endpoint only returns
admin-scoped tenants, raise ``RbacActionFailed`` exception otherwise.
"""
tenants_client = self.os_admin.tenants_client if \
rbac_utils.is_admin() else self.os_primary.tenants_client
admin_tenant_id = self.os_admin.credentials.project_id
non_admin_tenant_id = self.os_primary.credentials.project_id
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
tenants = tenants_client.list_tenants()['tenants']
tenant_ids = [t['id'] for t in tenants]
if admin_tenant_id not in tenant_ids:
raise rbac_exceptions.RbacMalformedResponse(
attribute="admin tenant id")
if non_admin_tenant_id in tenant_ids:
raise rbac_exceptions.RbacMalformedResponse(extra_attr=True)
def test_show_server_keypair(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
result =\
self.servers_client.show_server(self.server['id'])['server']
if 'key_name' not in result:
raise rbac_exceptions.RbacMalformedResponse(
attribute='key_name')
def test_get_flavor_rxtx(self):
with self.rbac_utils.override_role(self):
result = self.flavors_client.show_flavor(
CONF.compute.flavor_ref)['flavor']
if 'rxtx_factor' not in result:
raise rbac_exceptions.RbacMalformedResponse(
attribute='rxtx_factor')
def test_get_flavor_rxtx(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
result = self.flavors_client.show_flavor(
CONF.compute.flavor_ref)['flavor']
if 'rxtx_factor' not in result:
raise rbac_exceptions.RbacMalformedResponse(
attribute='rxtx_factor')
def test_list_backup_details_project_attribute(self):
with self.rbac_utils.override_role(self):
body = self.backups_client.list_backups(detail=True)['backups']
if self.expected_attr not in body[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute=self.expected_attr)
def test_show_server_host_status(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
server = self.servers_client.show_server(self.server_id)['server']
if 'host_status' not in server:
raise rbac_exceptions.RbacMalformedResponse(
attribute='host_status')
def test_show_server_host_status(self):
with self.rbac_utils.override_role(self):
server = self.servers_client.show_server(self.server_id)['server']
if 'host_status' not in server:
raise rbac_exceptions.RbacMalformedResponse(
attribute='host_status')
def test_show_group_type(self):
group_type = self.create_group_type()
with self.rbac_utils.override_role(self):
resp_body = self.group_types_client.show_group_type(
group_type['id'])['group_type']
if 'group_specs' not in resp_body:
raise rbac_exceptions.RbacMalformedResponse(
attribute='group_specs')
def test_show_server_config_drive(self):
"""Test show server with config_drive property in response body."""
with self.rbac_utils.override_role(self):
body = self.servers_client.show_server(self.server['id'])['server']
expected_attr = 'config_drive'
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_show_backup_project_attribute(self):
with self.rbac_utils.override_role(self):
body = self.backups_client.show_backup(self.backup['id'])['backup']
# Show backup API attempts to inject the attribute below into the
# response body but only if policy enforcement succeeds.
if self.expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=self.expected_attr)
def test_list_servers_with_details_config_drive(self):
"""Test list servers with config_drive property in response body."""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
body = self.servers_client.list_servers(detail=True)['servers']
expected_attr = 'config_drive'
# If the first server contains "config_drive", then all the others do.
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_list_security_group_rules(self):
with self.rbac_utils.override_role(self):
security_rules = self.security_group_rules_client.\
list_security_group_rules()
# Neutron may return an empty list if access is denied.
if not security_rules['security_group_rules']:
raise rbac_exceptions.RbacMalformedResponse(empty=True)
def test_list_images_with_details_includes_image_size(self):
with self.rbac_utils.override_role(self):
body = self.compute_images_client.list_images(detail=True)[
'images']
expected_attr = 'OS-EXT-IMG-SIZE:size'
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_show_image_includes_image_size(self):
with self.rbac_utils.override_role(self):
body = self.compute_images_client.show_image(self.image['id'])[
'image']
expected_attr = 'OS-EXT-IMG-SIZE:size'
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_show_server_extended_availability_zone(self):
"""Test show server OS-EXT-AZ:availability_zone attr in resp body."""
expected_attr = 'OS-EXT-AZ:availability_zone'
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
body = self.servers_client.show_server(self.server['id'])['server']
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_show_group_type(self):
group_type = self.create_group_type()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
resp_body = \
self.group_types_client.show_group_type(
group_type['id'])['group_type']
if 'group_specs' not in resp_body:
raise rbac_exceptions.RbacMalformedResponse(
attribute='group_specs')
def test_show_flavor_contains_is_public_key(self):
public_flavor_id = CONF.compute.flavor_ref
with self.rbac_utils.override_role(self):
body = self.flavors_client.show_flavor(public_flavor_id)['flavor']
expected_attr = 'os-flavor-access:is_public'
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_create_group_type_group_specs(self):
# TODO(felipemonteiro): Combine with ``test_create_group_type``
# once multiple policy testing is supported. This policy is
# only enforced after "group:group_types_manage".
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
group_type = self.create_group_type(ignore_notfound=True)
if 'group_specs' not in group_type:
raise rbac_exceptions.RbacMalformedResponse(
attribute='group_specs')
def test_list_servers_with_details_extended_availability_zone(self):
"""Test list servers OS-EXT-AZ:availability_zone attr in resp body."""
expected_attr = 'OS-EXT-AZ:availability_zone'
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
body = self.servers_client.list_servers(detail=True)['servers']
# If the first server contains `expected_attr`, then all the others do.
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_show_instance_action(self):
"""Test show instance action, part of os-instance-actions.
Expect "events" details to be included in the response body.
"""
# NOTE: "os_compute_api:os-instance-actions" is also enforced.
request_id = self.server.response['x-compute-request-id']
with self.rbac_utils.override_role(self):
instance_action = self.servers_client.show_instance_action(
self.server['id'], request_id)['instanceAction']
if 'events' not in instance_action:
raise rbac_exceptions.RbacMalformedResponse(attribute='events')
# Microversion 2.51+ returns 'events' always, but not 'traceback'. If
# 'traceback' is also present then policy enforcement passed.
if 'traceback' not in instance_action['events'][0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute='events.traceback')
def test_show_server_extended_status(self):
"""Test show server with extended properties in response body."""
with self.rbac_utils.override_role(self):
body = self.servers_client.show_server(self.server['id'])['server']
expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state',
'OS-EXT-STS:power_state')
for attr in expected_attrs:
if attr not in body:
raise rbac_exceptions.RbacMalformedResponse(attribute=attr)
def test_list_servers_extended_status(self):
"""Test list servers with extended properties in response body."""
with self.rbac_utils.override_role(self):
body = self.servers_client.list_servers(detail=True)['servers']
expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state',
'OS-EXT-STS:power_state')
for attr in expected_attrs:
if attr not in body[0]:
raise rbac_exceptions.RbacMalformedResponse(attribute=attr)
def test_show_server_extended_volumes(self):
"""Test show server os-extended-volumes:volumes_attached attr in resp
body.
"""
expected_attr = 'os-extended-volumes:volumes_attached'
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
body = self.servers_client.show_server(self.server['id'])['server']
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_list_servers_with_details_extended_volumes(self):
"""Test list servers os-extended-volumes:volumes_attached attr in resp
body.
"""
expected_attr = 'os-extended-volumes:volumes_attached'
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
body = self.servers_client.list_servers(detail=True)['servers']
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_list_subnets(self):
"""List subnets.
RBAC test for the neutron "get_subnet" policy
"""
with self.rbac_utils.override_role(self):
subnets = self.subnets_client.list_subnets()
# Neutron may return an empty list if access is denied.
if not subnets['subnets']:
raise rbac_exceptions.RbacMalformedResponse(empty=True)
def test_list_snapshots_details_with_extended_attributes(self):
"""List snapshots details with extended attributes."""
expected_attrs = ('os-extended-snapshot-attributes:project_id',
'os-extended-snapshot-attributes:progress')
params = {'name': self.snapshot['name']}
with self.rbac_utils.override_role(self):
resp = self._list_by_param_values(with_detail=True, **params)
for expected_attr in expected_attrs:
if expected_attr not in resp[0]:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_show_snapshot_with_extended_attributes(self):
"""List snapshots with extended attributes."""
expected_attrs = ('os-extended-snapshot-attributes:project_id',
'os-extended-snapshot-attributes:progress')
with self.rbac_utils.override_role(self):
resp = self.snapshots_client.show_snapshot(
self.snapshot['id'])['snapshot']
for expected_attr in expected_attrs:
if expected_attr not in resp:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_show_network_provider_segmentation_id(self):
"""Show Network Provider Segmentation Id Test
RBAC test for the neutron get_network:provider:segmentation_id policy
"""
kwargs = {'fields': 'provider:segmentation_id'}
with self.rbac_utils.override_role(self):
retrieved_network = self.networks_client.show_network(
self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
raise rbac_exceptions.RbacMalformedResponse(empty=True)
def test_show_backup_project_attribute(self):
volume = self.create_volume()
backup = self.create_backup(volume_id=volume['id'])
expected_attr = 'os-backup-project-attr:project_id'
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
body = self.backups_client.show_backup(backup['id'])['backup']
# Show backup API attempts to inject the attribute below into the
# response body but only if policy enforcement succeeds.
if expected_attr not in body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
def test_show_volume_details_image_metadata(self):
self.volumes_client.update_volume_image_metadata(
self.volume['id'], image_id=self.image_id)
self.addCleanup(self.volumes_client.delete_volume_image_metadata,
self.volume['id'], 'image_id')
with self.rbac_utils.override_role(self):
resp_body = self.volumes_client.show_volume(
self.volume['id'])['volume']
expected_attr = 'volume_image_metadata'
if expected_attr not in resp_body:
raise rbac_exceptions.RbacMalformedResponse(
attribute=expected_attr)
