示例#1
0
    def setUp(self, *args):
        super(RBACUtilsTest, self).setUp()

        self.mock_test_obj = mock.Mock(spec=lib_base.BaseTestCase)
        self.mock_test_obj.auth_provider = mock.Mock(
            **{'credentials.user_id': mock.sentinel.user_id,
               'credentials.tenant_id': mock.sentinel.project_id})
        self.mock_test_obj.os_admin = mock.Mock(
            **{'roles_v3_client.list_roles.return_value': self.available_roles}
        )
        self.mock_test_obj.get_identity_version = mock.Mock(return_value=3)

        with mock.patch.object(rbac_utils.RbacUtils, '_validate_switch_role'):
            self.rbac_utils = rbac_utils.RbacUtils(self.mock_test_obj)
        self.rbac_utils.switch_role_history = {}
        self.rbac_utils.admin_role_id = 'admin_id'
        self.rbac_utils.rbac_role_id = 'member_id'

        CONF.set_override('admin_role', 'admin', group='identity')
        CONF.set_override('auth_version', 'v3', group='identity')
        CONF.set_override('rbac_test_role', 'Member', group='rbac')

        roles_client = self.mock_test_obj.os_admin.roles_v3_client
        roles_client.create_user_role_on_project.reset_mock()
        self.mock_test_obj.auth_provider.reset_mock()

        self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac')
        self.addCleanup(CONF.clear_override, 'admin_role', group='identity')
        self.addCleanup(CONF.clear_override, 'auth_version', group='identity')
        self.addCleanup(mock.patch.stopall)
    def test_override_role_context_manager_simulate_fail(
            self, mock_override_role):
        """Validate that expected override_role calls are made when switching
        to admin role for failure path (i.e. when test raises exception).
        """
        test_obj = mock.MagicMock()
        _rbac_utils = rbac_utils.RbacUtils(test_obj)

        # Validate constructor called _override_role with False.
        mock_override_role.assert_called_once_with(_rbac_utils, test_obj,
                                                   False)
        mock_override_role.reset_mock()

        def _do_test():
            with _rbac_utils.override_role(test_obj):
                # Validate `override_role` public method called private method
                # `_override_role` with True.
                mock_override_role.assert_called_once_with(
                    _rbac_utils, test_obj, True)
                mock_override_role.reset_mock()
                # Raise exc to verify role switch works for negative case.
                raise lib_exc.Forbidden()

        # Validate that role is switched back to admin, despite test failure.
        with testtools.ExpectedException(lib_exc.Forbidden):
            _do_test()
        mock_override_role.assert_called_once_with(_rbac_utils, test_obj,
                                                   False)
示例#3
0
    def setup_clients(cls):
        super(BaseVolumeRbacTest, cls).setup_clients()
        cls.rbac_utils = rbac_utils.RbacUtils(cls)

        cls.volume_hosts_client = cls.os_primary.volume_hosts_v2_client
        cls.volume_types_client = cls.os_primary.volume_types_v2_client
        cls.groups_client = cls.os_primary.groups_v3_client
        cls.group_types_client = cls.os_primary.group_types_v3_client
示例#4
0
    def real_override_role(self, test_obj):
        """Actual call to ``override_role``.

        Useful for ensuring all the necessary mocks are performed before
        the method in question is called.
        """
        _rbac_utils = rbac_utils.RbacUtils(test_obj)
        with _rbac_utils.override_role(test_obj):
            yield
示例#5
0
    def setup_clients(cls):
        super(BaseVolumeRbacTest, cls).setup_clients()
        cls.auth_provider = cls.os_primary.auth_provider

        cls.rbac_utils = rbac_utils.RbacUtils(cls)

        version_checker = {
            2: [
                cls.os_primary.volume_hosts_v2_client,
                cls.os_primary.volume_types_v2_client
            ],
            3: [
                cls.os_primary.volume_hosts_v2_client,
                cls.os_primary.volume_types_v2_client
            ]
        }
        cls.volume_hosts_client, cls.volume_types_client = \
            version_checker[cls._api_version]
示例#6
0
    def override_role(self, *role_toggles):
        """Instantiate `rbac_utils.RbacUtils` and call `override_role`.

        Create an instance of `rbac_utils.RbacUtils` and call `override_role`
        for each boolean value in `role_toggles`. The number of calls to
        `override_role` is always 1 + len(`role_toggles`) because the
        `rbac_utils.RbacUtils` constructor automatically calls `override_role`.

        :param role_toggles: the list of boolean values iterated over and
            passed to `override_role`.
        """
        _rbac_utils = rbac_utils.RbacUtils(self.mock_test_obj)

        for role_toggle in role_toggles:
            _rbac_utils._override_role(self.mock_test_obj, role_toggle)
            # NOTE(felipemonteiro): Simulate that a role switch has occurred
            # by updating the user's current role to the new role. This means
            # that all API actions involved during a role switch -- listing,
            # deleting and adding roles -- are executed, making it easier to
            # assert that mock calls were called as expected.
            new_role = 'member' if role_toggle else 'admin'
            self.set_roles(['admin', 'member'], [new_role])
    def test_override_role_context_manager_simulate_pass(
            self, mock_override_role):
        """Validate that expected override_role calls are made when switching
        to admin role for success path.
        """
        test_obj = mock.MagicMock()
        _rbac_utils = rbac_utils.RbacUtils(test_obj)

        # Validate constructor called _override_role with False.
        mock_override_role.assert_called_once_with(_rbac_utils, test_obj,
                                                   False)
        mock_override_role.reset_mock()

        with _rbac_utils.override_role(test_obj):
            # Validate `override_role` public method called private method
            # `_override_role` with True.
            mock_override_role.assert_called_once_with(_rbac_utils, test_obj,
                                                       True)
            mock_override_role.reset_mock()
        # Validate that `override_role` switched back to admin role after
        # contextmanager.
        mock_override_role.assert_called_once_with(_rbac_utils, test_obj,
                                                   False)
示例#8
0
 def setup_clients(cls):
     super(BaseV2ImageRbacTest, cls).setup_clients()
     cls.rbac_utils = rbac_utils.RbacUtils(cls)
示例#9
0
 def setup_clients(cls):
     super(BaseIdentityRbacTest, cls).setup_clients()
     cls.auth_provider = cls.os_primary.auth_provider
     cls.rbac_utils = rbac_utils.RbacUtils(cls)
示例#10
0
    def setup_clients(cls):
        super(BaseV2ComputeRbacTest, cls).setup_clients()
        cls.rbac_utils = rbac_utils.RbacUtils(cls)

        cls.hosts_client = cls.os_primary.hosts_client
        cls.tenant_usages_client = cls.os_primary.tenant_usages_client
示例#11
0
 def setup_clients(cls):
     super(BaseIdentityRbacTest, cls).setup_clients()
     cls.rbac_utils = rbac_utils.RbacUtils(cls)
示例#12
0
 def setup_clients(cls):
     super(BaseV2ComputeRbacTest, cls).setup_clients()
     cls.auth_provider = cls.os_primary.auth_provider
     cls.rbac_utils = rbac_utils.RbacUtils(cls)
     cls.hosts_client = cls.os_primary.hosts_client
示例#13
0
 def setup_clients(cls):
     super(BaseNetworkRbacTest, cls).setup_clients()
     cls.rbac_utils = rbac_utils.RbacUtils(cls)
示例#14
0
 def setup_clients(cls):
     super(BaseContrailTest, cls).setup_clients()
     cls.auth_provider = cls.os_primary.auth_provider
     cls.admin_client = cls.os_admin.networks_client
     dscv = CONF.identity.disable_ssl_certificate_validation
     ca_certs = CONF.identity.ca_certificates_file
     cls.rbac_utils = rbac_utils.RbacUtils(cls)
     cls.access_control_client = AccessControlClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.alarm_client = AlarmClient(cls.auth_provider,
                                    CONF.sdn.catalog_type,
                                    CONF.identity.region,
                                    CONF.sdn.endpoint_type,
                                    disable_ssl_certificate_validation=dscv,
                                    ca_certs=ca_certs)
     cls.vm_client = VmContrailClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.dsa_client = DiscoveryServiceAssignmentClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.dsa_rule_client = DSARuleClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.forwarding_class_client = ForwardingClassClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.qos_client = QosContrailClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.routing_client = RoutingClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.security_group_client = SecurityGroupClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.service_appliances_client = ServiceAppliancesClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.analytics_node_client = AnalyticsNodeClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.vn_client = VirtualNetworkClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.db_client = ContrailDatabaseClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.fip_client = FloatingIpClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.fq_client = FqnameIdClient(cls.auth_provider,
                                    CONF.sdn.catalog_type,
                                    CONF.identity.region,
                                    CONF.sdn.endpoint_type,
                                    disable_ssl_certificate_validation=dscv,
                                    ca_certs=ca_certs)
     cls.virtual_ip_client = VirtualIPClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.virtual_dns_client = VirtualDNSClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.domain_client = DomainClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.project_client = ProjectClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.port_tuple_client = PortTupleClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.network_policy_client = NetworkPolicyClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.routing_policy_client = RoutingPolicyClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.namespace_client = NamespaceClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.network_ipams_client = NetworkIpamsClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.bgp_as_a_service_client = BGPAsAServiceClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.iip_client = InstanceIPClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.subnet_client = SubnetClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.load_balancer_client = LoadBalancerClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.route_client = RouteClient(cls.auth_provider,
                                    CONF.sdn.catalog_type,
                                    CONF.identity.region,
                                    CONF.sdn.endpoint_type,
                                    disable_ssl_certificate_validation=dscv,
                                    ca_certs=ca_certs)
     cls.interface_client = InterfaceClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.router_client = RouterClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.service_client = ServiceClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.attachments_client = AttachmentsClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.config_client = ConfigClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)
     cls.alias_ip_client = AliasIPsClient(
         cls.auth_provider,
         CONF.sdn.catalog_type,
         CONF.identity.region,
         CONF.sdn.endpoint_type,
         disable_ssl_certificate_validation=dscv,
         ca_certs=ca_certs)