def setUp(self, *args): super(RBACUtilsTest, self).setUp() self.mock_test_obj = mock.Mock(spec=lib_base.BaseTestCase) self.mock_test_obj.auth_provider = mock.Mock( **{'credentials.user_id': mock.sentinel.user_id, 'credentials.tenant_id': mock.sentinel.project_id}) self.mock_test_obj.os_admin = mock.Mock( **{'roles_v3_client.list_roles.return_value': self.available_roles} ) self.mock_test_obj.get_identity_version = mock.Mock(return_value=3) with mock.patch.object(rbac_utils.RbacUtils, '_validate_switch_role'): self.rbac_utils = rbac_utils.RbacUtils(self.mock_test_obj) self.rbac_utils.switch_role_history = {} self.rbac_utils.admin_role_id = 'admin_id' self.rbac_utils.rbac_role_id = 'member_id' CONF.set_override('admin_role', 'admin', group='identity') CONF.set_override('auth_version', 'v3', group='identity') CONF.set_override('rbac_test_role', 'Member', group='rbac') roles_client = self.mock_test_obj.os_admin.roles_v3_client roles_client.create_user_role_on_project.reset_mock() self.mock_test_obj.auth_provider.reset_mock() self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac') self.addCleanup(CONF.clear_override, 'admin_role', group='identity') self.addCleanup(CONF.clear_override, 'auth_version', group='identity') self.addCleanup(mock.patch.stopall)
def test_override_role_context_manager_simulate_fail( self, mock_override_role): """Validate that expected override_role calls are made when switching to admin role for failure path (i.e. when test raises exception). """ test_obj = mock.MagicMock() _rbac_utils = rbac_utils.RbacUtils(test_obj) # Validate constructor called _override_role with False. mock_override_role.assert_called_once_with(_rbac_utils, test_obj, False) mock_override_role.reset_mock() def _do_test(): with _rbac_utils.override_role(test_obj): # Validate `override_role` public method called private method # `_override_role` with True. mock_override_role.assert_called_once_with( _rbac_utils, test_obj, True) mock_override_role.reset_mock() # Raise exc to verify role switch works for negative case. raise lib_exc.Forbidden() # Validate that role is switched back to admin, despite test failure. with testtools.ExpectedException(lib_exc.Forbidden): _do_test() mock_override_role.assert_called_once_with(_rbac_utils, test_obj, False)
def setup_clients(cls): super(BaseVolumeRbacTest, cls).setup_clients() cls.rbac_utils = rbac_utils.RbacUtils(cls) cls.volume_hosts_client = cls.os_primary.volume_hosts_v2_client cls.volume_types_client = cls.os_primary.volume_types_v2_client cls.groups_client = cls.os_primary.groups_v3_client cls.group_types_client = cls.os_primary.group_types_v3_client
def real_override_role(self, test_obj): """Actual call to ``override_role``. Useful for ensuring all the necessary mocks are performed before the method in question is called. """ _rbac_utils = rbac_utils.RbacUtils(test_obj) with _rbac_utils.override_role(test_obj): yield
def setup_clients(cls): super(BaseVolumeRbacTest, cls).setup_clients() cls.auth_provider = cls.os_primary.auth_provider cls.rbac_utils = rbac_utils.RbacUtils(cls) version_checker = { 2: [ cls.os_primary.volume_hosts_v2_client, cls.os_primary.volume_types_v2_client ], 3: [ cls.os_primary.volume_hosts_v2_client, cls.os_primary.volume_types_v2_client ] } cls.volume_hosts_client, cls.volume_types_client = \ version_checker[cls._api_version]
def override_role(self, *role_toggles): """Instantiate `rbac_utils.RbacUtils` and call `override_role`. Create an instance of `rbac_utils.RbacUtils` and call `override_role` for each boolean value in `role_toggles`. The number of calls to `override_role` is always 1 + len(`role_toggles`) because the `rbac_utils.RbacUtils` constructor automatically calls `override_role`. :param role_toggles: the list of boolean values iterated over and passed to `override_role`. """ _rbac_utils = rbac_utils.RbacUtils(self.mock_test_obj) for role_toggle in role_toggles: _rbac_utils._override_role(self.mock_test_obj, role_toggle) # NOTE(felipemonteiro): Simulate that a role switch has occurred # by updating the user's current role to the new role. This means # that all API actions involved during a role switch -- listing, # deleting and adding roles -- are executed, making it easier to # assert that mock calls were called as expected. new_role = 'member' if role_toggle else 'admin' self.set_roles(['admin', 'member'], [new_role])
def test_override_role_context_manager_simulate_pass( self, mock_override_role): """Validate that expected override_role calls are made when switching to admin role for success path. """ test_obj = mock.MagicMock() _rbac_utils = rbac_utils.RbacUtils(test_obj) # Validate constructor called _override_role with False. mock_override_role.assert_called_once_with(_rbac_utils, test_obj, False) mock_override_role.reset_mock() with _rbac_utils.override_role(test_obj): # Validate `override_role` public method called private method # `_override_role` with True. mock_override_role.assert_called_once_with(_rbac_utils, test_obj, True) mock_override_role.reset_mock() # Validate that `override_role` switched back to admin role after # contextmanager. mock_override_role.assert_called_once_with(_rbac_utils, test_obj, False)
def setup_clients(cls): super(BaseV2ImageRbacTest, cls).setup_clients() cls.rbac_utils = rbac_utils.RbacUtils(cls)
def setup_clients(cls): super(BaseIdentityRbacTest, cls).setup_clients() cls.auth_provider = cls.os_primary.auth_provider cls.rbac_utils = rbac_utils.RbacUtils(cls)
def setup_clients(cls): super(BaseV2ComputeRbacTest, cls).setup_clients() cls.rbac_utils = rbac_utils.RbacUtils(cls) cls.hosts_client = cls.os_primary.hosts_client cls.tenant_usages_client = cls.os_primary.tenant_usages_client
def setup_clients(cls): super(BaseIdentityRbacTest, cls).setup_clients() cls.rbac_utils = rbac_utils.RbacUtils(cls)
def setup_clients(cls): super(BaseV2ComputeRbacTest, cls).setup_clients() cls.auth_provider = cls.os_primary.auth_provider cls.rbac_utils = rbac_utils.RbacUtils(cls) cls.hosts_client = cls.os_primary.hosts_client
def setup_clients(cls): super(BaseNetworkRbacTest, cls).setup_clients() cls.rbac_utils = rbac_utils.RbacUtils(cls)
def setup_clients(cls): super(BaseContrailTest, cls).setup_clients() cls.auth_provider = cls.os_primary.auth_provider cls.admin_client = cls.os_admin.networks_client dscv = CONF.identity.disable_ssl_certificate_validation ca_certs = CONF.identity.ca_certificates_file cls.rbac_utils = rbac_utils.RbacUtils(cls) cls.access_control_client = AccessControlClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.alarm_client = AlarmClient(cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.vm_client = VmContrailClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.dsa_client = DiscoveryServiceAssignmentClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.dsa_rule_client = DSARuleClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.forwarding_class_client = ForwardingClassClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.qos_client = QosContrailClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.routing_client = RoutingClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.security_group_client = SecurityGroupClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.service_appliances_client = ServiceAppliancesClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.analytics_node_client = AnalyticsNodeClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.vn_client = VirtualNetworkClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.db_client = ContrailDatabaseClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.fip_client = FloatingIpClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.fq_client = FqnameIdClient(cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.virtual_ip_client = VirtualIPClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.virtual_dns_client = VirtualDNSClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.domain_client = DomainClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.project_client = ProjectClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.port_tuple_client = PortTupleClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.network_policy_client = NetworkPolicyClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.routing_policy_client = RoutingPolicyClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.namespace_client = NamespaceClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.network_ipams_client = NetworkIpamsClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.bgp_as_a_service_client = BGPAsAServiceClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.iip_client = InstanceIPClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.subnet_client = SubnetClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.load_balancer_client = LoadBalancerClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.route_client = RouteClient(cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.interface_client = InterfaceClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.router_client = RouterClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.service_client = ServiceClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.attachments_client = AttachmentsClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.config_client = ConfigClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs) cls.alias_ip_client = AliasIPsClient( cls.auth_provider, CONF.sdn.catalog_type, CONF.identity.region, CONF.sdn.endpoint_type, disable_ssl_certificate_validation=dscv, ca_certs=ca_certs)