def test_get_flavor_rxtx(self):
with self.override_role():
result = self.flavors_client.show_flavor(
CONF.compute.flavor_ref)['flavor']
if 'rxtx_factor' not in result:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='rxtx_factor')
def test_show_server_keypair(self):
with self.override_role():
result = self.servers_client.show_server(
self.server['id'])['server']
if 'key_name' not in result:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='key_name')
def test_list_backup_details_project_attribute(self):
with self.override_role():
body = self.backups_client.list_backups(detail=True)['backups']
if self.expected_attr not in body[0]:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=self.expected_attr)
def test_show_server_host_status(self):
with self.override_role():
server = self.servers_client.show_server(self.server_id)['server']
if 'host_status' not in server:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='host_status')
def test_show_server_config_drive(self):
"""Test show server with config_drive property in response body."""
with self.override_role():
body = self.servers_client.show_server(self.server['id'])['server']
expected_attr = 'config_drive'
if expected_attr not in body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_show_group_type(self):
group_type = self.create_group_type()
with self.override_role():
resp_body = self.group_types_client.show_group_type(
group_type['id'])['group_type']
if 'group_specs' not in resp_body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='group_specs')
def test_show_backup_project_attribute(self):
with self.override_role():
body = self.backups_client.show_backup(self.backup['id'])['backup']
# Show backup API attempts to inject the attribute below into the
# response body but only if policy enforcement succeeds.
if self.expected_attr not in body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=self.expected_attr)
def test_show_image_includes_image_size(self):
with self.override_role():
body = self.compute_images_client.show_image(
self.image['id'])['image']
expected_attr = 'OS-EXT-IMG-SIZE:size'
if expected_attr not in body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_show_server_extended_availability_zone(self):
"""Test show server OS-EXT-AZ:availability_zone attr in resp body."""
expected_attr = 'OS-EXT-AZ:availability_zone'
with self.override_role():
body = self.servers_client.show_server(self.server['id'])['server']
if expected_attr not in body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_list_servers_with_details_config_drive(self):
"""Test list servers with config_drive property in response body."""
with self.override_role():
body = self.servers_client.list_servers(detail=True)['servers']
expected_attr = 'config_drive'
# If the first server contains "config_drive", then all the others do.
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_list_images_with_details_includes_image_size(self):
with self.override_role():
body = self.compute_images_client.list_images(
detail=True)['images']
expected_attr = 'OS-EXT-IMG-SIZE:size'
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_create_group_type_group_specs(self):
# TODO(felipemonteiro): Combine with ``test_create_group_type``
# once multiple policy testing is supported. This policy is
# only enforced after "group:group_types_manage".
with self.override_role():
group_type = self.create_group_type(ignore_notfound=True)
if 'group_specs' not in group_type:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='group_specs')
def test_show_flavor_contains_is_public_key(self):
public_flavor_id = CONF.compute.flavor_ref
with self.override_role():
body = self.flavors_client.show_flavor(public_flavor_id)['flavor']
expected_attr = 'os-flavor-access:is_public'
if expected_attr not in body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_list_servers_with_details_extended_availability_zone(self):
"""Test list servers OS-EXT-AZ:availability_zone attr in resp body."""
expected_attr = 'OS-EXT-AZ:availability_zone'
with self.override_role():
body = self.servers_client.list_servers(detail=True)['servers']
# If the first server contains `expected_attr`, then all the others do.
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_show_server_extended_volumes(self):
"""Test show server os-extended-volumes:volumes_attached attr in resp
body.
"""
expected_attr = 'os-extended-volumes:volumes_attached'
with self.override_role():
body = self.servers_client.show_server(self.server['id'])['server']
if expected_attr not in body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_show_instance_action(self):
"""Test show instance action, part of os-instance-actions.
Expect "events" details to be included in the response body.
"""
# NOTE: "os_compute_api:os-instance-actions" is also enforced.
request_id = self.server.response['x-compute-request-id']
with self.override_role():
instance_action = self.servers_client.show_instance_action(
self.server['id'], request_id)['instanceAction']
if 'events' not in instance_action:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='events')
# Microversion 2.51+ returns 'events' always, but not 'traceback'. If
# 'traceback' is also present then policy enforcement passed.
if 'traceback' not in instance_action['events'][0]:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='events.traceback')
def test_show_server_extended_status(self):
"""Test show server with extended properties in response body."""
with self.override_role():
body = self.servers_client.show_server(self.server['id'])['server']
expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state',
'OS-EXT-STS:power_state')
for attr in expected_attrs:
if attr not in body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=attr)
def test_list_servers_extended_status(self):
"""Test list servers with extended properties in response body."""
with self.override_role():
body = self.servers_client.list_servers(detail=True)['servers']
expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state',
'OS-EXT-STS:power_state')
for attr in expected_attrs:
if attr not in body[0]:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=attr)
def test_list_servers_with_details_extended_volumes(self):
"""Test list servers os-extended-volumes:volumes_attached attr in resp
body.
"""
expected_attr = 'os-extended-volumes:volumes_attached'
with self.override_role():
body = self.servers_client.list_servers(detail=True)['servers']
if expected_attr not in body[0]:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_list_snapshots_details_with_extended_attributes(self):
"""List snapshots details with extended attributes."""
expected_attrs = ('os-extended-snapshot-attributes:project_id',
'os-extended-snapshot-attributes:progress')
params = {'name': self.snapshot['name']}
with self.override_role():
resp = self._list_by_param_values(with_detail=True, **params)
for expected_attr in expected_attrs:
if expected_attr not in resp[0]:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_show_snapshot_with_extended_attributes(self):
"""List snapshots with extended attributes."""
expected_attrs = ('os-extended-snapshot-attributes:project_id',
'os-extended-snapshot-attributes:progress')
with self.override_role():
resp = self.snapshots_client.show_snapshot(
self.snapshot['id'])['snapshot']
for expected_attr in expected_attrs:
if expected_attr not in resp:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_show_port_binding_vif_details(self):
# Verify specific fields of a port
fields = ['binding:vif_details']
with self.override_role():
retrieved_port = self.ports_client.show_port(self.port['id'],
fields=fields)['port']
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='binding:vif_details')
def test_show_volume_details_image_metadata(self):
self.volumes_client.update_volume_image_metadata(
self.volume['id'], image_id=self.image_id)
self.addCleanup(self.volumes_client.delete_volume_image_metadata,
self.volume['id'], 'image_id')
with self.override_role():
resp_body = self.volumes_client.show_volume(
self.volume['id'])['volume']
expected_attr = 'volume_image_metadata'
if expected_attr not in resp_body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_list_flavors_details_contains_is_public_key(self):
expected_attr = 'os-flavor-access:is_public'
with self.override_role():
flavors = self.flavors_client.list_flavors(detail=True)['flavors']
# There should already be a public flavor available, namely
# `CONF.compute.flavor_ref`.
public_flavors = [f for f in flavors if expected_attr in f]
# If the `expected_attr` was not found in any flavor, then policy
# enforcement failed.
if not public_flavors:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_show_server_usage(self):
"""Test show server usage, part of os-server-usage.
TODO(felipemonteiro): Once multiple policy testing is supported, this
test should also check for additional policies mentioned here:
https://git.openstack.org/cgit/openstack/nova/tree/nova/policies/server_usage.py?h=17.0.0
"""
expected_attrs = ('OS-SRV-USG:launched_at', 'OS-SRV-USG:terminated_at')
with self.override_role():
body = self.servers_client.show_server(self.server['id'])['server']
for expected_attr in expected_attrs:
if expected_attr not in body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=expected_attr)
def test_show_limits(self):
# It is enough to check whether any of the following keys below
# are in the response body under ['limits']['absolute'], but no harm
# in checking for them all.
expected_keys = {
'totalVolumesUsed', 'totalGigabytesUsed', 'totalSnapshotsUsed',
'totalBackupsUsed', 'totalBackupGigabytesUsed'
}
with self.override_role():
absolute_limits = self.volume_limits_client.show_limits(
)['limits']['absolute']
for key in expected_keys:
if key not in absolute_limits:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=key)
def test_show_distributed_router(self):
"""Get distributed router
RBAC test for the neutron get_router:distributed policy
"""
router = self.routers_client.create_router(distributed=True)['router']
self.addCleanup(self.routers_client.delete_router, router['id'])
with self.override_role():
retrieved_fields = self.routers_client.show_router(
router['id'], fields=['distributed'])['router']
# Rather than throwing a 403, the field is not present, so raise exc.
if 'distributed' not in retrieved_fields:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='distributed')
def test_show_high_availability_router(self):
"""GET high-availability router
RBAC test for the neutron get_router:ha policy
"""
router = self.routers_client.create_router(ha=True)['router']
self.addCleanup(self.routers_client.delete_router, router['id'])
with self.override_role():
retrieved_fields = self.routers_client.show_router(
router['id'], fields=['ha'])['router']
# Rather than throwing a 403, the field is not present, so raise exc.
if 'ha' not in retrieved_fields:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='ha')
def test_show_server_extended_server_attributes(self):
"""Test show server with extended server attributes in response
body.
"""
with self.override_role():
body = self.servers_client.show_server(self.server['id'])['server']
# NOTE(felipemonteiro): The attributes included below should be
# returned by all microversions. We don't include tests for other
# microversions since Tempest schema validation takes care of that in
# `show_server` call above. (Attributes there are *optional*.)
for attr in ('host', 'instance_name'):
whole_attr = 'OS-EXT-SRV-ATTR:%s' % attr
if whole_attr not in body:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute=whole_attr)
def test_show_port_binding_host_id(self):
# Verify specific fields of a port
fields = ['binding:host_id']
post_body = {
'network': self.network,
'binding:host_id': data_utils.rand_name('host-id')
}
port = self.create_port(**post_body)
with self.override_role():
retrieved_port = self.ports_client.show_port(port['id'],
fields=fields)['port']
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
raise rbac_exceptions.RbacMissingAttributeResponseBody(
attribute='binding:host_id')
