diff --git a/.zuul.yaml b/.zuul.yaml index 2e99198a..aa954039 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -63,6 +63,7 @@ - qos-fip - quotas - quota_details + - rbac-address-scope - rbac-policies - rbac-security-groups - router diff --git a/neutron_tempest_plugin/api/base.py b/neutron_tempest_plugin/api/base.py index f8cb339f..1b022117 100644 --- a/neutron_tempest_plugin/api/base.py +++ b/neutron_tempest_plugin/api/base.py @@ -789,12 +789,15 @@ class BaseNetworkTest(test.BaseTestCase): return body['address_scope'] @classmethod - def create_subnetpool(cls, name, is_admin=False, **kwargs): + def create_subnetpool(cls, name, is_admin=False, client=None, **kwargs): + if client is None: + client = cls.admin_client if is_admin else cls.client + if is_admin: - body = cls.admin_client.create_subnetpool(name, **kwargs) + body = client.create_subnetpool(name, **kwargs) cls.admin_subnetpools.append(body['subnetpool']) else: - body = cls.client.create_subnetpool(name, **kwargs) + body = client.create_subnetpool(name, **kwargs) cls.subnetpools.append(body['subnetpool']) return body['subnetpool'] diff --git a/neutron_tempest_plugin/api/test_address_scopes.py b/neutron_tempest_plugin/api/test_address_scopes.py index 6cf0885c..b8c143aa 100644 --- a/neutron_tempest_plugin/api/test_address_scopes.py +++ b/neutron_tempest_plugin/api/test_address_scopes.py @@ -11,6 +11,7 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +import testtools from tempest.common import utils from tempest.lib.common.utils import data_utils @@ -115,3 +116,141 @@ class AddressScopeTest(AddressScopeTestBase): address_scope = self._test_update_address_scope_helper(is_admin=True, shared=True) self.assertTrue(address_scope['shared']) + + +class RbacAddressScopeTest(AddressScopeTestBase): + + force_tenant_isolation = True + credentials = ['primary', 'alt', 'admin'] + required_extensions = ['address-scope', 'rbac-address-scope'] + + @classmethod + def resource_setup(cls): + super(RbacAddressScopeTest, cls).resource_setup() + cls.client2 = cls.os_alt.network_client + + def _make_admin_as_shared_to_project_id(self, project_id): + a_s = self._create_address_scope(ip_version=4, is_admin=True) + rbac_policy = self.admin_client.create_rbac_policy( + object_type='address_scope', + object_id=a_s['id'], + action='access_as_shared', + target_tenant=project_id, + )['rbac_policy'] + return {'address_scope': a_s, 'rbac_policy': rbac_policy} + + @decorators.idempotent_id('038e999b-cd4b-4021-a9ff-ebb734f6e056') + def test_policy_target_update(self): + res = self._make_admin_as_shared_to_project_id( + self.client.tenant_id) + # change to client2 + update_res = self.admin_client.update_rbac_policy( + res['rbac_policy']['id'], target_tenant=self.client2.tenant_id) + self.assertEqual(self.client2.tenant_id, + update_res['rbac_policy']['target_tenant']) + # make sure everything else stayed the same + res['rbac_policy'].pop('target_tenant') + update_res['rbac_policy'].pop('target_tenant') + self.assertEqual(res['rbac_policy'], update_res['rbac_policy']) + + @decorators.idempotent_id('798ac6c6-96cc-49ce-ba5c-c6eced7a09d3') + def test_subnet_pool_presence_prevents_rbac_policy_deletion(self): + res = self._make_admin_as_shared_to_project_id( + self.client2.tenant_id) + snp = self.create_subnetpool( + data_utils.rand_name("rbac-address-scope"), + default_prefixlen=24, prefixes=['10.0.0.0/8'], + address_scope_id=res['address_scope']['id'], + client=self.client2 + ) + self.addCleanup( + self.admin_client.delete_rbac_policy, + res['rbac_policy']['id'] + ) + self.addCleanup(self.client2.delete_subnetpool, snp['id']) + + # a port with shared sg should prevent the deletion of an + # rbac-policy required for it to be shared + with testtools.ExpectedException(lib_exc.Conflict): + self.admin_client.delete_rbac_policy(res['rbac_policy']['id']) + + @decorators.idempotent_id('57da6ba2-6329-49c8-974c-9858fe187136') + def test_regular_client_shares_to_another_regular_client(self): + # owned by self.admin_client + a_s = self._create_address_scope(ip_version=4, is_admin=True) + with testtools.ExpectedException(lib_exc.NotFound): + self.client.show_address_scope(a_s['id']) + rbac_policy = self.admin_client.create_rbac_policy( + object_type='address_scope', object_id=a_s['id'], + action='access_as_shared', + target_tenant=self.client.tenant_id)['rbac_policy'] + self.client.show_address_scope(a_s['id']) + + self.assertIn(rbac_policy, + self.admin_client.list_rbac_policies()['rbac_policies']) + # ensure that 'client2' can't see the rbac-policy sharing the + # as to it because the rbac-policy belongs to 'client' + self.assertNotIn(rbac_policy['id'], [p['id'] for p in + self.client2.list_rbac_policies()['rbac_policies']]) + + @decorators.idempotent_id('051248e7-d66f-4c69-9022-2b73ee5b9e73') + def test_filter_fields(self): + a_s = self._create_address_scope(ip_version=4) + self.admin_client.create_rbac_policy( + object_type='address_scope', object_id=a_s['id'], + action='access_as_shared', target_tenant=self.client2.tenant_id) + field_args = (('id',), ('id', 'action'), ('object_type', 'object_id'), + ('project_id', 'target_tenant')) + for fields in field_args: + res = self.admin_client.list_rbac_policies(fields=fields) + self.assertEqual(set(fields), set(res['rbac_policies'][0].keys())) + + @decorators.idempotent_id('19cbd62e-c6c3-4495-98b9-b9c6c6c9c127') + def test_rbac_policy_show(self): + res = self._make_admin_as_shared_to_project_id( + self.client.tenant_id) + p1 = res['rbac_policy'] + p2 = self.admin_client.create_rbac_policy( + object_type='address_scope', + object_id=res['address_scope']['id'], + action='access_as_shared', + target_tenant='*')['rbac_policy'] + + self.assertEqual( + p1, self.admin_client.show_rbac_policy(p1['id'])['rbac_policy']) + self.assertEqual( + p2, self.admin_client.show_rbac_policy(p2['id'])['rbac_policy']) + + @decorators.idempotent_id('88852ba0-8546-4ce7-8f79-4a9c840c881d') + def test_filter_rbac_policies(self): + a_s = self._create_address_scope(ip_version=4) + rbac_pol1 = self.admin_client.create_rbac_policy( + object_type='address_scope', object_id=a_s['id'], + action='access_as_shared', + target_tenant=self.client2.tenant_id)['rbac_policy'] + rbac_pol2 = self.admin_client.create_rbac_policy( + object_type='address_scope', object_id=a_s['id'], + action='access_as_shared', + target_tenant=self.admin_client.tenant_id)['rbac_policy'] + res1 = self.admin_client.list_rbac_policies(id=rbac_pol1['id'])[ + 'rbac_policies'] + res2 = self.admin_client.list_rbac_policies(id=rbac_pol2['id'])[ + 'rbac_policies'] + self.assertEqual(1, len(res1)) + self.assertEqual(1, len(res2)) + self.assertEqual(rbac_pol1['id'], res1[0]['id']) + self.assertEqual(rbac_pol2['id'], res2[0]['id']) + + @decorators.idempotent_id('222a638d-819e-41a7-a3fe-550265c06e79') + def test_regular_client_blocked_from_sharing_anothers_policy(self): + a_s = self._make_admin_as_shared_to_project_id( + self.client.tenant_id)['address_scope'] + with testtools.ExpectedException(lib_exc.BadRequest): + self.client.create_rbac_policy( + object_type='address_scope', object_id=a_s['id'], + action='access_as_shared', + target_tenant=self.client2.tenant_id) + + # make sure the rbac-policy is invisible to the tenant for which it's + # being shared + self.assertFalse(self.client.list_rbac_policies()['rbac_policies']) diff --git a/neutron_tempest_plugin/api/test_subnetpools_negative.py b/neutron_tempest_plugin/api/test_subnetpools_negative.py index 5513c868..1e222dfd 100644 --- a/neutron_tempest_plugin/api/test_subnetpools_negative.py +++ b/neutron_tempest_plugin/api/test_subnetpools_negative.py @@ -12,6 +12,7 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +import testtools import netaddr from oslo_utils import uuidutils @@ -171,14 +172,12 @@ class SubnetPoolsNegativeTestJSON(test_subnetpools.SubnetPoolsTestBase): @decorators.attr(type='negative') @decorators.idempotent_id('3396ec6c-cb80-4ebe-b897-84e904580bdf') + @testtools.skipIf( + utils.is_extension_enabled('rbac-address-scope', 'network'), + reason="Test is outdated starting from Ussuri release." + ) @utils.requires_ext(extension='address-scope', service='network') def test_tenant_create_subnetpool_associate_shared_address_scope(self): - # TODO(imalinovskiy): This test is temporary disabled - # to be able to test & merge - # https://review.opendev.org/709122/ and will be enabled again in - # https://review.opendev.org/711610/ - self.skipTest("Temporary disabled") - address_scope = self.create_address_scope( name=data_utils.rand_name('smoke-address-scope'), is_admin=True, shared=True, ip_version=4)