patrole_tempest_plugin.rbac_rule_validation.
action
(service, rules=None, expected_error_codes=None, extra_target_data=None)[source]¶A decorator for verifying OpenStack policy enforcement.
A decorator which allows for positive and negative RBAC testing. Given:
an OpenStack service,
a policy action (rule
) enforced by that service, and
the test roles defined by [patrole] rbac_test_roles
determines whether the test role has sufficient permissions to perform an
API call that enforces the rule
.
This decorator should only be applied to an instance or subclass of
tempest.test.BaseTestCase
.
The result from _is_authorized
is used to determine the expected
test result. The actual test result is determined by running the
Tempest test this decorator applies to.
Below are the following possibilities from comparing the expected and actual results:
If expected is True and the test passes (actual), this is a success.
If expected is True and the test fails (actual), this results in a
RbacUnderPermissionException
exception failure.
If expected is False and the test passes (actual), this results in
an RbacOverPermissionException
exception failure.
If expected is False and the test fails (actual), this is a success.
As such, negative and positive testing can be applied using this decorator.
service (str) – An OpenStack service. Examples: “nova” or “neutron”.
rules (list[str] or list[callable]) –
A list of policy actions defined in a policy file or in code. The rules are logical-ANDed together to derive the expected result. Also accepts list of callables that return a policy action.
Note
Patrole currently only supports custom JSON policy files.
expected_error_codes (list[int]) –
When the rules
list parameter is
used, then this list indicates the expected error code to use if one
of the rules does not allow the role being tested. This list must
coincide with and its elements remain in the same order as the rules
in the rules list.
Example:
rules=["api_action1", "api_action2"]
expected_error_codes=[404, 403]
If api_action1 fails and api_action2 passes, then the expected error code is 404.
if api_action2 fails and api_action1 passes, then the expected error code is 403.
if both api_action1 and api_action2 fail, then the expected error code is the first error seen (404).
If it is not passed, then it is defaulted to 403.
Warning
A 404 should not be provided unless the endpoint masks a
Forbidden
exception as a NotFound
exception.
extra_target_data (dict) –
Dictionary, keyed with oslo.policy
generic check names, whose values are string literals that reference
nested tempest.test.BaseTestCase
attributes. Used by
oslo.policy
for performing matching against attributes that are
sent along with the API calls. Example:
extra_target_data={
"target.token.user_id":
"os_alt.auth_provider.credentials.user_id"
})
RbacInvalidServiceException – If service
is invalid.
RbacUnderPermissionException – For item (2) above.
RbacOverPermissionException – For item (3) above.
RbacExpectedWrongException – When a 403 is expected but a 404 is raised instead or vice versa.
Examples:
@rbac_rule_validation.action(
service="nova",
rules=["os_compute_api:os-agents"])
def test_list_agents_rbac(self):
# The call to `override_role` is mandatory.
with self.override_role():
self.agents_client.list_agents()
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.