Add tempest api tests for address scopes RBAC

Change-Id: I0a625019ab7495a71125edbd37d9005a4675b86b
Partial-Bug: #1862968
Depends-On: https://review.opendev.org/709122

.zuul.yaml

@@ -63,6 +63,7 @@
         - qos-fip
         - quotas
         - quota_details
+        - rbac-address-scope
         - rbac-policies
         - rbac-security-groups
         - router

neutron_tempest_plugin/api/base.py

@@ -789,12 +789,15 @@ class BaseNetworkTest(test.BaseTestCase):
         return body['address_scope']
 
     @classmethod
-    def create_subnetpool(cls, name, is_admin=False, **kwargs):
+    def create_subnetpool(cls, name, is_admin=False, client=None, **kwargs):
+        if client is None:
+            client = cls.admin_client if is_admin else cls.client
+
         if is_admin:
-            body = cls.admin_client.create_subnetpool(name, **kwargs)
+            body = client.create_subnetpool(name, **kwargs)
             cls.admin_subnetpools.append(body['subnetpool'])
         else:
-            body = cls.client.create_subnetpool(name, **kwargs)
+            body = client.create_subnetpool(name, **kwargs)
             cls.subnetpools.append(body['subnetpool'])
         return body['subnetpool']
 

neutron_tempest_plugin/api/test_address_scopes.py

@@ -11,6 +11,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import testtools
 
 from tempest.common import utils
 from tempest.lib.common.utils import data_utils
@@ -115,3 +116,141 @@ class AddressScopeTest(AddressScopeTestBase):
         address_scope = self._test_update_address_scope_helper(is_admin=True,
                                                                shared=True)
         self.assertTrue(address_scope['shared'])
+
+
+class RbacAddressScopeTest(AddressScopeTestBase):
+
+    force_tenant_isolation = True
+    credentials = ['primary', 'alt', 'admin']
+    required_extensions = ['address-scope', 'rbac-address-scope']
+
+    @classmethod
+    def resource_setup(cls):
+        super(RbacAddressScopeTest, cls).resource_setup()
+        cls.client2 = cls.os_alt.network_client
+
+    def _make_admin_as_shared_to_project_id(self, project_id):
+        a_s = self._create_address_scope(ip_version=4, is_admin=True)
+        rbac_policy = self.admin_client.create_rbac_policy(
+            object_type='address_scope',
+            object_id=a_s['id'],
+            action='access_as_shared',
+            target_tenant=project_id,
+        )['rbac_policy']
+        return {'address_scope': a_s, 'rbac_policy': rbac_policy}
+
+    @decorators.idempotent_id('038e999b-cd4b-4021-a9ff-ebb734f6e056')
+    def test_policy_target_update(self):
+        res = self._make_admin_as_shared_to_project_id(
+            self.client.tenant_id)
+        # change to client2
+        update_res = self.admin_client.update_rbac_policy(
+                res['rbac_policy']['id'], target_tenant=self.client2.tenant_id)
+        self.assertEqual(self.client2.tenant_id,
+                         update_res['rbac_policy']['target_tenant'])
+        # make sure everything else stayed the same
+        res['rbac_policy'].pop('target_tenant')
+        update_res['rbac_policy'].pop('target_tenant')
+        self.assertEqual(res['rbac_policy'], update_res['rbac_policy'])
+
+    @decorators.idempotent_id('798ac6c6-96cc-49ce-ba5c-c6eced7a09d3')
+    def test_subnet_pool_presence_prevents_rbac_policy_deletion(self):
+        res = self._make_admin_as_shared_to_project_id(
+            self.client2.tenant_id)
+        snp = self.create_subnetpool(
+            data_utils.rand_name("rbac-address-scope"),
+            default_prefixlen=24, prefixes=['10.0.0.0/8'],
+            address_scope_id=res['address_scope']['id'],
+            client=self.client2
+        )
+        self.addCleanup(
+            self.admin_client.delete_rbac_policy,
+            res['rbac_policy']['id']
+        )
+        self.addCleanup(self.client2.delete_subnetpool, snp['id'])
+
+        # a port with shared sg should prevent the deletion of an
+        # rbac-policy required for it to be shared
+        with testtools.ExpectedException(lib_exc.Conflict):
+            self.admin_client.delete_rbac_policy(res['rbac_policy']['id'])
+
+    @decorators.idempotent_id('57da6ba2-6329-49c8-974c-9858fe187136')
+    def test_regular_client_shares_to_another_regular_client(self):
+        # owned by self.admin_client
+        a_s = self._create_address_scope(ip_version=4, is_admin=True)
+        with testtools.ExpectedException(lib_exc.NotFound):
+            self.client.show_address_scope(a_s['id'])
+        rbac_policy = self.admin_client.create_rbac_policy(
+            object_type='address_scope', object_id=a_s['id'],
+            action='access_as_shared',
+            target_tenant=self.client.tenant_id)['rbac_policy']
+        self.client.show_address_scope(a_s['id'])
+
+        self.assertIn(rbac_policy,
+                      self.admin_client.list_rbac_policies()['rbac_policies'])
+        # ensure that 'client2' can't see the rbac-policy sharing the
+        # as to it because the rbac-policy belongs to 'client'
+        self.assertNotIn(rbac_policy['id'], [p['id'] for p in
+                         self.client2.list_rbac_policies()['rbac_policies']])
+
+    @decorators.idempotent_id('051248e7-d66f-4c69-9022-2b73ee5b9e73')
+    def test_filter_fields(self):
+        a_s = self._create_address_scope(ip_version=4)
+        self.admin_client.create_rbac_policy(
+            object_type='address_scope', object_id=a_s['id'],
+            action='access_as_shared', target_tenant=self.client2.tenant_id)
+        field_args = (('id',), ('id', 'action'), ('object_type', 'object_id'),
+                      ('project_id', 'target_tenant'))
+        for fields in field_args:
+            res = self.admin_client.list_rbac_policies(fields=fields)
+            self.assertEqual(set(fields), set(res['rbac_policies'][0].keys()))
+
+    @decorators.idempotent_id('19cbd62e-c6c3-4495-98b9-b9c6c6c9c127')
+    def test_rbac_policy_show(self):
+        res = self._make_admin_as_shared_to_project_id(
+            self.client.tenant_id)
+        p1 = res['rbac_policy']
+        p2 = self.admin_client.create_rbac_policy(
+            object_type='address_scope',
+            object_id=res['address_scope']['id'],
+            action='access_as_shared',
+            target_tenant='*')['rbac_policy']
+
+        self.assertEqual(
+            p1, self.admin_client.show_rbac_policy(p1['id'])['rbac_policy'])
+        self.assertEqual(
+            p2, self.admin_client.show_rbac_policy(p2['id'])['rbac_policy'])
+
+    @decorators.idempotent_id('88852ba0-8546-4ce7-8f79-4a9c840c881d')
+    def test_filter_rbac_policies(self):
+        a_s = self._create_address_scope(ip_version=4)
+        rbac_pol1 = self.admin_client.create_rbac_policy(
+            object_type='address_scope', object_id=a_s['id'],
+            action='access_as_shared',
+            target_tenant=self.client2.tenant_id)['rbac_policy']
+        rbac_pol2 = self.admin_client.create_rbac_policy(
+            object_type='address_scope', object_id=a_s['id'],
+            action='access_as_shared',
+            target_tenant=self.admin_client.tenant_id)['rbac_policy']
+        res1 = self.admin_client.list_rbac_policies(id=rbac_pol1['id'])[
+            'rbac_policies']
+        res2 = self.admin_client.list_rbac_policies(id=rbac_pol2['id'])[
+            'rbac_policies']
+        self.assertEqual(1, len(res1))
+        self.assertEqual(1, len(res2))
+        self.assertEqual(rbac_pol1['id'], res1[0]['id'])
+        self.assertEqual(rbac_pol2['id'], res2[0]['id'])
+
+    @decorators.idempotent_id('222a638d-819e-41a7-a3fe-550265c06e79')
+    def test_regular_client_blocked_from_sharing_anothers_policy(self):
+        a_s = self._make_admin_as_shared_to_project_id(
+            self.client.tenant_id)['address_scope']
+        with testtools.ExpectedException(lib_exc.BadRequest):
+            self.client.create_rbac_policy(
+                object_type='address_scope', object_id=a_s['id'],
+                action='access_as_shared',
+                target_tenant=self.client2.tenant_id)
+
+        # make sure the rbac-policy is invisible to the tenant for which it's
+        # being shared
+        self.assertFalse(self.client.list_rbac_policies()['rbac_policies'])

neutron_tempest_plugin/api/test_subnetpools_negative.py

@@ -12,6 +12,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import testtools
 
 import netaddr
 from oslo_utils import uuidutils
@@ -171,14 +172,12 @@ class SubnetPoolsNegativeTestJSON(test_subnetpools.SubnetPoolsTestBase):
 
     @decorators.attr(type='negative')
     @decorators.idempotent_id('3396ec6c-cb80-4ebe-b897-84e904580bdf')
+    @testtools.skipIf(
+        utils.is_extension_enabled('rbac-address-scope', 'network'),
+        reason="Test is outdated starting from Ussuri release."
+    )
     @utils.requires_ext(extension='address-scope', service='network')
     def test_tenant_create_subnetpool_associate_shared_address_scope(self):
-        # TODO(imalinovskiy): This test is temporary disabled
-        # to be able to test & merge
-        # https://review.opendev.org/709122/ and will be enabled again in
-        # https://review.opendev.org/711610/
-        self.skipTest("Temporary disabled")
-
         address_scope = self.create_address_scope(
             name=data_utils.rand_name('smoke-address-scope'), is_admin=True,
             shared=True, ip_version=4)