patrole_tempest_plugin.rbac_rule_validation module

patrole_tempest_plugin.rbac_rule_validation.action(service, rules=None, expected_error_codes=None, extra_target_data=None)

A decorator for verifying OpenStack policy enforcement.

A decorator which allows for positive and negative RBAC testing. Given:

• an OpenStack service,

• a policy action (rule) enforced by that service, and

• the test roles defined by [patrole] rbac_test_roles

determines whether the test role has sufficient permissions to perform an API call that enforces the rule.

This decorator should only be applied to an instance or subclass of tempest.test.BaseTestCase.

The result from _is_authorized is used to determine the expected test result. The actual test result is determined by running the Tempest test this decorator applies to.

Below are the following possibilities from comparing the expected and actual results:

1. If expected is True and the test passes (actual), this is a success.

2. If expected is True and the test fails (actual), this results in a RbacUnderPermissionException exception failure.

3. If expected is False and the test passes (actual), this results in an RbacOverPermissionException exception failure.

4. If expected is False and the test fails (actual), this is a success.

As such, negative and positive testing can be applied using this decorator.

Parameters

• service (str) – An OpenStack service. Examples: “nova” or “neutron”.

• rules (list[str] or list[callable]) –

  A list of policy actions defined in a policy file or in code. The rules are logical-ANDed together to derive the expected result. Also accepts list of callables that return a policy action.

  Note

  Patrole currently only supports custom JSON policy files.

• expected_error_codes (list[int]) –

  When the rules list parameter is used, then this list indicates the expected error code to use if one of the rules does not allow the role being tested. This list must coincide with and its elements remain in the same order as the rules in the rules list.

  Example:

  rules=["api_action1", "api_action2"]
  expected_error_codes=[404, 403]
  

  1. If api_action1 fails and api_action2 passes, then the expected error code is 404.

  2. if api_action2 fails and api_action1 passes, then the expected error code is 403.

  3. if both api_action1 and api_action2 fail, then the expected error code is the first error seen (404).

  If it is not passed, then it is defaulted to 403.

  Warning

  A 404 should not be provided unless the endpoint masks a Forbidden exception as a NotFound exception.

• extra_target_data (dict) –

  Dictionary, keyed with oslo.policy generic check names, whose values are string literals that reference nested tempest.test.BaseTestCase attributes. Used by oslo.policy for performing matching against attributes that are sent along with the API calls. Example:

  extra_target_data={
      "target.token.user_id":
      "os_alt.auth_provider.credentials.user_id"
  })
  

Raises

• RbacInvalidServiceException – If service is invalid.

• RbacUnderPermissionException – For item (2) above.

• RbacOverPermissionException – For item (3) above.

• RbacExpectedWrongException – When a 403 is expected but a 404 is raised instead or vice versa.

Examples:

@rbac_rule_validation.action(
    service="nova",
    rules=["os_compute_api:os-agents"])
def test_list_agents_rbac(self):
    # The call to `override_role` is mandatory.
    with self.override_role():
        self.agents_client.list_agents()