Implement basic protection testing jobs
This commit lays down a basic structure for protection tests. These are
useful for testing various secure RBAC personas, but leveraging all the
dynamic credential work in tempest's authentication libraries to
provision clients for testing. We're also adding a non-voting protection
test job so that we can integrate protection testing into the cinder
gate as we work through policy changes.
This commit also adds some basic tests exercising the capabilities
admin-only API. These tests ensure that only operators (e.g.,
system-administrators) or formally known as project-administrators, can
access the capabilities API. Assertions and functionality in these tests
may expand in the future to accomodate system-scope when cinder can
properly consume system-scoped tokens from keystone.
For now, the tests assume project-administrators are deployment
operators, which is the legacy way of denoting "admin-ness" in OpenStack
deployments.
Depends-On: https://review.opendev.org/c/openstack/tempest/+/778753
Change-Id: I6d4ae6d516f4c2dda4dcb6b974857b34f2ef2254
Lance Bragstad authored 5 years ago
Luigi Toscano committed 5 years ago
| 13 | 13 | - cinder-tempest-plugin-basic-victoria |
| 14 | 14 | - cinder-tempest-plugin-basic-ussuri |
| 15 | 15 | - cinder-tempest-plugin-basic-train |
| 16 | # Set this job to voting once we have some actual tests to run | |
| 17 | - cinder-tempest-plugin-protection-functional: | |
| 18 | voting: false | |
| 16 | 19 | gate: |
| 17 | 20 | jobs: |
| 18 | 21 | - cinder-tempest-plugin-lvm-lio-barbican |
| 23 | 26 | - cinder-tempest-plugin-cbak-ceph-victoria |
| 24 | 27 | - cinder-tempest-plugin-cbak-ceph-ussuri |
| 25 | 28 | - cinder-tempest-plugin-cbak-ceph-train |
| 29 | ||
| 30 | - job: | |
| 31 | name: cinder-tempest-plugin-protection-functional | |
| 32 | parent: devstack-tempest | |
| 33 | required-projects: | |
| 34 | - opendev.org/openstack/cinder-tempest-plugin | |
| 35 | - opendev.org/openstack/cinder | |
| 36 | vars: | |
| 37 | tox_envlist: all | |
| 38 | tempest_test_regex: 'cinder_tempest_plugin.rbac' | |
| 39 | devstack_local_conf: | |
| 40 | test-config: | |
| 41 | $CINDER_CONF: | |
| 42 | oslo_policy: | |
| 43 | enforce_new_defaults: True | |
| 44 | $TEMPEST_CONFIG: | |
| 45 | enforce_scope: | |
| 46 | cinder: True | |
| 47 | tempest_plugins: | |
| 48 | - cinder-tempest-plugin | |
| 26 | 49 | |
| 27 | 50 | - job: |
| 28 | 51 | name: cinder-tempest-plugin-lvm-barbican-base-abstract |
| 0 | # Licensed under the Apache License, Version 2.0 (the "License"); you may | |
| 1 | # not use this file except in compliance with the License. You may obtain | |
| 2 | # a copy of the License at | |
| 3 | # | |
| 4 | # http://www.apache.org/licenses/LICENSE-2.0 | |
| 5 | # | |
| 6 | # Unless required by applicable law or agreed to in writing, software | |
| 7 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | |
| 8 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | |
| 9 | # License for the specific language governing permissions and limitations | |
| 10 | # under the License. | |
| 11 | ||
| 12 | from tempest import config | |
| 13 | ||
| 14 | CONF = config.CONF | |
| 15 | ||
| 16 | ||
| 17 | class VolumeV3RbacBaseTests(object): | |
| 18 | ||
| 19 | identity_version = 'v3' | |
| 20 | ||
| 21 | @classmethod | |
| 22 | def skip_checks(cls): | |
| 23 | super(VolumeV3RbacBaseTests, cls).skip_checks() | |
| 24 | if not CONF.enforce_scope.cinder: | |
| 25 | raise cls.skipException( | |
| 26 | "Tempest is not configured to enforce_scope for cinder, " | |
| 27 | "skipping RBAC tests. To enable these tests set " | |
| 28 | "`tempest.conf [enforce_scope] cinder=True`." | |
| 29 | ) | |
| 30 | ||
| 31 | def do_request(self, method, expected_status=200, client=None, **payload): | |
| 32 | if not client: | |
| 33 | client = self.client | |
| 34 | if isinstance(expected_status, type(Exception)): | |
| 35 | self.assertRaises(expected_status, | |
| 36 | getattr(client, method), | |
| 37 | **payload) | |
| 38 | else: | |
| 39 | response = getattr(client, method)(**payload) | |
| 40 | self.assertEqual(response.response.status, expected_status) | |
| 41 | return response |
| 0 | # Licensed under the Apache License, Version 2.0 (the "License"); you may | |
| 1 | # not use this file except in compliance with the License. You may obtain | |
| 2 | # a copy of the License at | |
| 3 | # | |
| 4 | # http://www.apache.org/licenses/LICENSE-2.0 | |
| 5 | # | |
| 6 | # Unless required by applicable law or agreed to in writing, software | |
| 7 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | |
| 8 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | |
| 9 | # License for the specific language governing permissions and limitations | |
| 10 | # under the License. | |
| 11 | ||
| 12 | import abc | |
| 13 | ||
| 14 | from tempest.lib import exceptions | |
| 15 | ||
| 16 | from cinder_tempest_plugin.api.volume import base | |
| 17 | from cinder_tempest_plugin.rbac.v3 import base as rbac_base | |
| 18 | ||
| 19 | ||
| 20 | class VolumeV3RbacCapabilityTests(rbac_base.VolumeV3RbacBaseTests, | |
| 21 | metaclass=abc.ABCMeta): | |
| 22 | ||
| 23 | @classmethod | |
| 24 | def setup_clients(cls): | |
| 25 | super().setup_clients() | |
| 26 | cls.persona = getattr(cls, 'os_%s' % cls.credentials[0]) | |
| 27 | cls.client = cls.persona.volume_capabilities_client_latest | |
| 28 | # NOTE(lbragstad): This admin_client will be more useful later when | |
| 29 | # cinder supports system-scope and we need it for administrative | |
| 30 | # operations. For now, keep os_project_admin as the admin client until | |
| 31 | # we have system-scope. | |
| 32 | admin_client = cls.os_project_admin | |
| 33 | cls.admin_capabilities_client = ( | |
| 34 | admin_client.volume_capabilities_client_latest) | |
| 35 | cls.admin_stats_client = ( | |
| 36 | admin_client.volume_scheduler_stats_client_latest) | |
| 37 | ||
| 38 | @classmethod | |
| 39 | def setup_credentials(cls): | |
| 40 | super().setup_credentials() | |
| 41 | cls.os_primary = getattr(cls, 'os_%s' % cls.credentials[0]) | |
| 42 | ||
| 43 | @abc.abstractmethod | |
| 44 | def test_get_capabilities(self): | |
| 45 | """Test volume_extension:capabilities policy. | |
| 46 | ||
| 47 | This test must check: | |
| 48 | * whether the persona can fetch capabilities for a host. | |
| 49 | ||
| 50 | """ | |
| 51 | pass | |
| 52 | ||
| 53 | ||
| 54 | class ProjectAdminTests(VolumeV3RbacCapabilityTests, base.BaseVolumeTest): | |
| 55 | ||
| 56 | credentials = ['project_admin', 'system_admin'] | |
| 57 | ||
| 58 | def test_get_capabilities(self): | |
| 59 | pools = self.admin_stats_client.list_pools()['pools'] | |
| 60 | host_name = pools[0]['name'] | |
| 61 | self.do_request('show_backend_capabilities', expected_status=200, | |
| 62 | host=host_name) | |
| 63 | ||
| 64 | ||
| 65 | class ProjectMemberTests(ProjectAdminTests, base.BaseVolumeTest): | |
| 66 | ||
| 67 | credentials = ['project_member', 'project_admin', 'system_admin'] | |
| 68 | ||
| 69 | def test_get_capabilities(self): | |
| 70 | pools = self.admin_stats_client.list_pools()['pools'] | |
| 71 | host_name = pools[0]['name'] | |
| 72 | self.do_request('show_backend_capabilities', | |
| 73 | expected_status=exceptions.Forbidden, | |
| 74 | host=host_name) | |
| 75 | ||
| 76 | ||
| 77 | class ProjectReaderTests(ProjectMemberTests, base.BaseVolumeTest): | |
| 78 | ||
| 79 | credentials = ['project_reader', 'project_admin', 'system_admin'] |