778d67dc6b
Since the env option and fixtures depending on it were not in use by any RBAC test anymore, they were removed from code. Fixtures removed: - env Story: 2009156 Task: 43128 Signed-off-by: Rafael Fayan <RafaelShibana.Fayan@windriver.com> Change-Id: I15c3758263c3ec00385e063cad03f82f92fbd21d
1092 lines
40 KiB
Python
1092 lines
40 KiB
Python
#
|
|
# Copyright (c) 2021 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# All Rights Reserved.
|
|
#
|
|
|
|
import pytest
|
|
|
|
from openstack import exceptions
|
|
from novaclient import exceptions as ncExceptions
|
|
from pprint import pprint
|
|
from tests.fv_rbac import debug
|
|
from tests.fv_rbac import OpenStackRouterInterface
|
|
from tests.test_nova.rbac_nova import OpenStackComputeTesting
|
|
|
|
|
|
@pytest.fixture(scope='class', autouse=True)
|
|
def networking_setup(request, network_admin_setup):
|
|
|
|
cfg = network_admin_setup
|
|
request.cls.os_sdk_admin_conn = cfg.os_sdk_admin_conn
|
|
request.cls.users = cfg.users
|
|
request.cls.user02 = cfg.user02
|
|
request.cls.user11 = cfg.user11
|
|
request.cls.user12 = cfg.user12
|
|
request.cls.user13 = cfg.user13
|
|
request.cls.user21 = cfg.user21
|
|
request.cls.user22 = cfg.user22
|
|
request.cls.user23 = cfg.user23
|
|
|
|
|
|
class TestVM(OpenStackComputeTesting):
|
|
# TC-1
|
|
# Description:
|
|
# - The following user and roles are defined: user11, admin of project1; user12, member of project1; user13, read only of project1.
|
|
# - Users 11/12 can lunch server from image or volume, with either predefined network, or predefined port; while user13 can NOT;
|
|
# - Users 11/12 can access server logs, while user13 can NOT;
|
|
# - Users 11/12 can access server console, while user13 can NOT.
|
|
def test_uc_nova_1(self, tc_teardown):
|
|
"""
|
|
# 1. user11 can create an instance
|
|
# 2. user11 can get the console log of the instance
|
|
# 3. user11 can access the VNC console of the instance
|
|
# 4. user13 can NOT get the console log or access the VNC console
|
|
# 5. user12 create an instance
|
|
# 6. user12 can get the console log of the instance
|
|
# 7. user12 can access the VNC console of the instance
|
|
# 8. user13 can NOT get the console log or access the VNC console
|
|
"""
|
|
|
|
# 1.1. user11 can create an instance
|
|
|
|
print ("\nTC-1.1")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._create_server("vm11-project1", "cirros", "m1.tiny")
|
|
|
|
if debug: print(vm11.name)
|
|
if debug: print(vm11.status)
|
|
|
|
assert vm11.name == "vm11-project1"
|
|
assert vm11.status == "ACTIVE"
|
|
assert "vm11-project1" in [s.name for s in self._list_servers()]
|
|
|
|
# 1.2. user11 can get the console log of the instance
|
|
|
|
print ("TC-1.2")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
data = self._get_server_console_output("vm11-project1")
|
|
|
|
if debug: pprint(data, indent=4)
|
|
assert data is not None
|
|
|
|
# 1.3. user11 can access the VNC console of the instance
|
|
|
|
print ("TC-1.3")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
data = self._get_vnc_console("vm11-project1", 'novnc')
|
|
|
|
if debug: pprint(data, indent=4)
|
|
assert data is not None
|
|
|
|
# 1.4. user13 can NOT get the console log or access the VNC console
|
|
|
|
print ("TC-1.4")
|
|
|
|
self.set_connections_for_user(self.user13)
|
|
|
|
#Note: openstack.exceptions
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._get_server_console_output("vm11-project1")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-console-output to be performed")
|
|
|
|
#Note: novaclient.exceptions
|
|
with pytest.raises(ncExceptions.Forbidden) as err:
|
|
assert self._get_vnc_console("vm11-project1", 'novnc')
|
|
assert err.match("Policy doesn't allow os_compute_api:os-remote-consoles to be performed")
|
|
|
|
# 1.5. user12 can create an instance
|
|
|
|
print ("TC-1.5")
|
|
|
|
self.set_connections_for_user(self.user12)
|
|
|
|
vm12 = self._create_server("vm12-project1", "cirros", "m1.tiny")
|
|
|
|
if debug: print(vm12.name)
|
|
if debug: print(vm12.status)
|
|
|
|
assert vm12.name == "vm12-project1"
|
|
assert vm12.status == "ACTIVE"
|
|
assert "vm12-project1" in [s.name for s in self._list_servers()]
|
|
|
|
# 1.6. user12 can get the console log of the instance
|
|
|
|
print ("TC-1.6")
|
|
|
|
self.set_connections_for_user(self.user12)
|
|
|
|
data = self._get_server_console_output("vm12-project1")
|
|
|
|
if debug: pprint(data, indent=4)
|
|
assert data is not None
|
|
|
|
# 1.7.user12 can access the VNC console of the instance
|
|
|
|
print ("TC-1.7")
|
|
|
|
self.set_connections_for_user(self.user12)
|
|
|
|
data = self._get_vnc_console("vm12-project1", 'novnc')
|
|
|
|
if debug: pprint(data, indent=4)
|
|
assert data is not None
|
|
|
|
# 1.8. user13 can NOT get the console log or access the VNC console
|
|
|
|
print ("TC-1.8")
|
|
|
|
self.set_connections_for_user(self.user13)
|
|
|
|
#Note: openstack.exceptions
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._get_server_console_output("vm12-project1")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-console-output to be performed")
|
|
|
|
#Note: novaclient.exceptions
|
|
with pytest.raises(ncExceptions.Forbidden) as err:
|
|
assert self._get_vnc_console("vm12-project1", 'novnc')
|
|
assert err.match("Policy doesn't allow os_compute_api:os-remote-consoles to be performed")
|
|
|
|
# TC-2
|
|
# Description:
|
|
# user11 can manage server: associate floatingip/de-associate floatingip/edit instance/
|
|
# attach volume/detach volume/update metadata/edit security group/pause instance/resume instance /
|
|
# suspend instance/resize instance/lock instance/unlock instance/shelve instance/unshelve instance/
|
|
# soft reboot instance/hard reboot instance/shut off instance/rebuild instance/delete instance,
|
|
# while user12/13 can NOT
|
|
def test_uc_nova_2(self, create_external_network, create_router_vr11, tc_teardown):
|
|
"""
|
|
01. user11 can create a floating IP
|
|
02. user11 can start a instance
|
|
03. user11 can associate/disassociate the floating IP to the instance
|
|
04. users 12/13 can NOT associate/disassociate the floating IP to the instance
|
|
05. user11 can update the name of the instance
|
|
06. users 12/13 can NOT update the instance
|
|
07. user11 can attache/detach a volume to the instance
|
|
08. user12 can attach/detach a volume to the instance, but user13 CAN NOT
|
|
09. user11 can update the metadata of the instance
|
|
10. users 12/13 can NOT update the metadata of the instance
|
|
11. user11 can add a security group the the instance
|
|
12. users 12/13 can NOT add a security group to the instance
|
|
13. user11 can pause/unpause the instance
|
|
14. users 12/13 can NOT pause/unpause the instance
|
|
15. user11 can resize the instance
|
|
16. users 12/13 can NOT resize the instance
|
|
17. user11 can lock/unlock the instance.
|
|
18. users 12/13 can NOT lock/unlock the instance.
|
|
19. user11 can stop the instance
|
|
20. users 12/13 can NOT stop the instance
|
|
21. user11 can soft reboot the instance
|
|
22. users 12/13 can NOT soft reboot the instance
|
|
23. user11 can hard reboot the instance
|
|
24. users 12/13 can NOT hard reboot the instance
|
|
25. user11 can rebuild the instance
|
|
26. users 12/13 can NOT rebuild the instance
|
|
27. user11 can shelve/unshelve the instance
|
|
28. users 12/13 can NOT shelve the instance
|
|
29. users 12/13 can NOT delete the instance
|
|
30. user11 can delete the instance
|
|
"""
|
|
|
|
# 2.1. user11 can create a floating IP
|
|
|
|
print ("\nTC-2.1")
|
|
|
|
#Test setup
|
|
extnet, extsubnet = create_external_network
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
network11 = self._create_network("network11")
|
|
assert network11 is not None
|
|
|
|
subnet11 = self._create_subnet("subnet11", "network11", cidr="10.10.20.0/24", gateway_ip="10.10.20.1")
|
|
assert subnet11 is not None
|
|
|
|
vr11 = create_router_vr11
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
vr11 = self._add_interface_to_router(OpenStackRouterInterface("vr11", "subnet11"))
|
|
assert subnet11.id in vr11.get("subnet_ids")
|
|
|
|
vm11 = self._create_server("vm11", "cirros", "m1.tiny", network_name="network11")
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
network = self._get_network("network11")
|
|
vm11_port = [p for p in self._list_ports(device_id=vm11.id)][0]
|
|
assert vm11_port.network_id == network.id
|
|
|
|
#Create action succeeds for the project admin
|
|
fip11 = self._create_floatingip(subnet_id=extsubnet.id, floating_network_id=extnet.id, port_id=vm11_port.id)
|
|
|
|
if debug: print(fip11.floating_ip_address)
|
|
assert fip11.floating_ip_address is not None
|
|
|
|
# 2.2. user11 can stop/start a instance
|
|
|
|
print ("TC-2.2")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
#Stop action succeeds for the project admin
|
|
vm11 = self._stop_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "SHUTOFF"
|
|
|
|
#Start action succeeds for the project admin
|
|
vm11 = self._start_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.3. user11 can associate/disassociate the floating IP to the instance
|
|
|
|
print ("TC-2.3")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
if debug: print(fip11.floating_ip_address)
|
|
assert fip11.floating_ip_address is not None
|
|
|
|
#Associate action succeeds for the project admin
|
|
self._add_floating_ip_to_server("vm11", fip11)
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print([ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating'][0])
|
|
assert fip11.floating_ip_address == [ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating'][0]
|
|
|
|
#Disassociate action succeeds for the project admin
|
|
self._remove_floating_ip_from_server("vm11", fip11)
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print([ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating'][0])
|
|
assert fip11.floating_ip_address not in [ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating']
|
|
|
|
# 2.4. users 12/13 can NOT associate/disassociate the floating IP to the instance
|
|
|
|
print ("TC-2.4")
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
if debug: print(fip11.floating_ip_address)
|
|
assert fip11.floating_ip_address is not None
|
|
|
|
#Associate attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._add_floating_ip_to_server("vm11", fip11)
|
|
assert err.match("rule:update_floatingip is disallowed by policy")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print([ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating'])
|
|
assert fip11.floating_ip_address not in [ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating']
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
self._add_floating_ip_to_server("vm11", fip11)
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print([ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating'])
|
|
assert fip11.floating_ip_address in [ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating']
|
|
|
|
#Disassociate attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._remove_floating_ip_from_server("vm11", fip11)
|
|
assert err.match("Access was denied to this resource")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print([ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating'])
|
|
assert fip11.floating_ip_address in [ip['addr'] for ip in vm11.addresses['network11'] if ip['OS-EXT-IPS:type'] == 'floating']
|
|
|
|
# 2.5. user11 can update the name of the instance
|
|
|
|
print ("TC-2.5")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
|
|
#Update action succeeds for the project admin
|
|
vm11 = self._update_server("vm11", name="vm11-project1")
|
|
if debug: print([s.name for s in self._list_servers()])
|
|
assert "vm11-project1" in [s.name for s in self._list_servers()]
|
|
|
|
#Test restore
|
|
vm11 = self._update_server("vm11-project1", name="vm11")
|
|
if debug: print([s.name for s in self._list_servers()])
|
|
assert "vm11" in [s.name for s in self._list_servers()]
|
|
|
|
# 2.6. users 12/13 can NOT update the instance
|
|
|
|
print ("TC-2.6")
|
|
|
|
#Update attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
#Test setup
|
|
if debug: print([s.name for s in self._list_servers()])
|
|
assert "vm11" in [s.name for s in self._list_servers()]
|
|
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._update_server("vm11", name="Instance11-Project1")
|
|
assert err.match("Policy doesn't allow os_compute_api:servers:update to be performed")
|
|
|
|
assert "Instance11-Project1" not in [s.name for s in self._list_servers()]
|
|
assert "vm11" in [s.name for s in self._list_servers()]
|
|
|
|
# 2.7. user11 can attach/detach a volume to the instance
|
|
|
|
print ("TC-2.7")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.attached_volumes == []
|
|
|
|
volume11 = self._create_volume("volume11")
|
|
volumes = self._list_volumes()
|
|
assert "volume11" in [v.name for v in volumes]
|
|
|
|
#Attach action succeeds for the project admin
|
|
self._add_volume_to_server("vm11", "volume11")
|
|
vm11 = self._get_server("vm11")
|
|
assert volume11.id in [v.get("id") for v in vm11.attached_volumes]
|
|
|
|
#Detach action succeeds for the project admin
|
|
self._remove_volume_from_server("vm11", "volume11")
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.attached_volumes == []
|
|
|
|
# 2.8. user12 can attach/detach a volume to the instance, but user13 CAN NOT
|
|
|
|
print ("TC-2.8")
|
|
|
|
self.set_connections_for_user(self.user12)
|
|
|
|
#Test setup for user 12
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.attached_volumes == []
|
|
|
|
#Attach action succeeds for user12 (project member)
|
|
self._add_volume_to_server("vm11", "volume11")
|
|
vm11 = self._get_server("vm11")
|
|
assert volume11.id in [v.get("id") for v in vm11.attached_volumes]
|
|
|
|
#Detach action succeeds for user12 (project member)
|
|
self._remove_volume_from_server("vm11", "volume11")
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.attached_volumes == []
|
|
|
|
self.set_connections_for_user(self.user13)
|
|
|
|
#Test setup for user 13
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.attached_volumes == []
|
|
|
|
#Attach attempt fails for user13 (read only)
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._add_volume_to_server("vm11", "volume11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-volumes-attachments:create to be performed")
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.attached_volumes == []
|
|
|
|
#Test setup for user 13
|
|
self.set_connections_for_user(self.user11)
|
|
self._add_volume_to_server("vm11", "volume11")
|
|
vm11 = self._get_server("vm11")
|
|
assert volume11.id in [v.get("id") for v in vm11.attached_volumes]
|
|
|
|
#Detach attempt fails for user13 (read only)
|
|
self.set_connections_for_user(self.user13)
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._remove_volume_from_server("vm11", "volume11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-volumes-attachments:delete to be performed")
|
|
vm11 = self._get_server("vm11")
|
|
assert volume11.id in [v.get("id") for v in vm11.attached_volumes]
|
|
|
|
# 2.9. user11 can update (set/modify/delete) the metadata of the instance
|
|
|
|
print ("TC-2.9")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.metadata)
|
|
assert "mykey" not in vm11.metadata
|
|
|
|
#Set metadata
|
|
vm11 = self._set_server_metadata("vm11", mykey="myvalue")
|
|
if debug: print(vm11.metadata)
|
|
assert "mykey" in vm11.metadata
|
|
assert vm11.metadata.get("mykey") == "myvalue"
|
|
|
|
#Modify metadata
|
|
vm11 = self._set_server_metadata("vm11", mykey="updated-value")
|
|
if debug: print(vm11.metadata)
|
|
assert "mykey" in vm11.metadata
|
|
assert vm11.metadata.get("mykey") == "updated-value"
|
|
|
|
#Get metadata
|
|
vm11 = self._get_server_metadata("vm11")
|
|
if debug: print(vm11.metadata)
|
|
assert "mykey" in vm11.metadata
|
|
assert vm11.metadata.get("mykey") == "updated-value"
|
|
|
|
#Delete metadata
|
|
self._delete_server_metadata("vm11", ['mykey'])
|
|
|
|
vm11 = self._get_server_metadata("vm11")
|
|
if debug: print(vm11.metadata)
|
|
assert "mykey" not in vm11.metadata
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.metadata)
|
|
assert "mykey" not in vm11.metadata
|
|
|
|
# 2.10. users 12/13 can NOT update the metadata of the instance
|
|
|
|
print ("TC-2.10")
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11.metadata)
|
|
assert "mykey" not in vm11.metadata
|
|
|
|
#Metadata update (set) attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.metadata)
|
|
assert "mykey" not in vm11.metadata
|
|
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._set_server_metadata("vm11", mykey="myvalue")
|
|
assert err.match("Policy doesn't allow os_compute_api:server-metadata:create to be performed")
|
|
assert "mykey" not in vm11.metadata
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._set_server_metadata("vm11", mykey="myvalue")
|
|
if debug: print(vm11.metadata)
|
|
assert "mykey" in vm11.metadata
|
|
assert vm11.metadata.get("mykey") == "myvalue"
|
|
|
|
#Metadata update (modify) attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.metadata)
|
|
assert vm11.metadata.get("mykey") == "myvalue"
|
|
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._set_server_metadata("vm11", mykey="modified-value")
|
|
assert err.match("Policy doesn't allow os_compute_api:server-metadata:create to be performed")
|
|
assert vm11.metadata.get("mykey") == "myvalue"
|
|
|
|
#Metadata update (delete) attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.metadata)
|
|
assert vm11.metadata.get("mykey") == "myvalue"
|
|
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._delete_server_metadata("vm11", ['mykey'])
|
|
assert err.match("Policy doesn't allow os_compute_api:server-metadata:delete to be performed")
|
|
assert vm11.metadata.get("mykey") == "myvalue"
|
|
|
|
# 2.11. user11 can add/remove a security group to/from the instance
|
|
|
|
print ("TC-2.11")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
assert "sg11" not in [sg.name for sg in self._list_security_groups()]
|
|
sg11 = self._create_security_group("sg11")
|
|
if debug: print(sg11.name)
|
|
assert sg11.name is not None
|
|
assert self._get_security_group("sg11") is not None
|
|
assert "sg11" in [sg.name for sg in self._list_security_groups()]
|
|
|
|
vm11 = self._fetch_server_security_groups("vm11")
|
|
assert "sg11" not in [sg['name'] for sg in vm11.security_groups]
|
|
|
|
#Add security group action succeeds for the project admin
|
|
self._add_security_group_to_server("vm11", "sg11")
|
|
vm11 = self._fetch_server_security_groups("vm11")
|
|
if debug: print([sg['name'] for sg in vm11.security_groups])
|
|
assert "sg11" in [sg['name'] for sg in vm11.security_groups]
|
|
|
|
#Remove security group action succeeds for the project admin
|
|
self.set_connections_for_user(self.user11)
|
|
self._remove_security_group_from_server("vm11", "sg11")
|
|
vm11 = self._fetch_server_security_groups("vm11")
|
|
if debug: print([sg['name'] for sg in vm11.security_groups])
|
|
assert "sg11" not in [sg['name'] for sg in vm11.security_groups]
|
|
|
|
# 2.12. users 12/13 can NOT add/remove a security group to the instance
|
|
|
|
print ("TC-2.12")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
self._add_security_group_to_server("vm11", "sg11")
|
|
|
|
assert "sg12" not in [sg.name for sg in self._list_security_groups()]
|
|
sg12 = self._create_security_group("sg12")
|
|
if debug: print(sg12.name)
|
|
assert sg12.name is not None
|
|
assert self._get_security_group("sg12") is not None
|
|
|
|
vm11 = self._fetch_server_security_groups("vm11")
|
|
assert "sg11" in [sg['name'] for sg in vm11.security_groups]
|
|
assert "sg12" not in [sg['name'] for sg in vm11.security_groups]
|
|
|
|
#Add/remove security group attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._fetch_server_security_groups("vm11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-security-groups:list to be performed")
|
|
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._add_security_group_to_server("vm11", "sg12")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-security-groups:add to be performed")
|
|
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._remove_security_group_from_server("vm11", "sg11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-security-groups:remove to be performed")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._fetch_server_security_groups("vm11")
|
|
assert "sg11" in [sg['name'] for sg in vm11.security_groups]
|
|
assert "sg12" not in [sg['name'] for sg in vm11.security_groups]
|
|
|
|
# 2.13. user11 can pause/unpause the instance
|
|
|
|
print ("TC-2.13")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
#Pause action succeeds for the project admin
|
|
self._pause_server("vm11")
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "PAUSED"
|
|
|
|
#Unause action succeeds for the project admin
|
|
self._unpause_server("vm11")
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.14. users 12/13 can NOT pause/unpause the instance
|
|
|
|
print ("TC-2.14")
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
#Pause attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._pause_server("vm11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-pause-server:pause to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
self._pause_server("vm11")
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "PAUSED"
|
|
|
|
#Unause attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._unpause_server("vm11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-pause-server:unpause to be performed")
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "PAUSED"
|
|
|
|
# Test restore
|
|
self.set_connections_for_user(self.user11)
|
|
self._unpause_server("vm11")
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.15 user11 can resize the instance and revert or confirm resize
|
|
|
|
print ("TC-2.15")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
assert vm11.flavor['original_name'] == 'm1.tiny'
|
|
|
|
#Resize and revert resize
|
|
vm11 = self._resize_server("vm11", "m1.small")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "VERIFY_RESIZE"
|
|
if debug: print(vm11.flavor['original_name'])
|
|
assert vm11.flavor['original_name'] == 'm1.small'
|
|
|
|
vm11 = self._revert_server_resize("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11.flavor['original_name'])
|
|
assert vm11.flavor['original_name'] == 'm1.tiny'
|
|
|
|
#Resize and confim resize
|
|
vm11 = self._resize_server("vm11", "m1.small")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "VERIFY_RESIZE"
|
|
if debug: print(vm11.flavor['original_name'])
|
|
assert vm11.flavor['original_name'] == 'm1.small'
|
|
|
|
vm11 = self._confirm_server_resize("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11.flavor['original_name'])
|
|
assert vm11.flavor['original_name'] == 'm1.small'
|
|
|
|
# 2.16. users 12/13 can NOT resize the instance
|
|
|
|
print ("TC-2.16")
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
assert vm11.flavor['original_name'] == 'm1.small'
|
|
|
|
#Resize attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._resize_server("vm11", "m1.tiny")
|
|
assert err.match("Policy doesn't allow os_compute_api:servers:resize to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.flavor['original_name'])
|
|
assert vm11.flavor['original_name'] == 'm1.small'
|
|
|
|
# 2.17. user11 can lock/unlock the instance.
|
|
|
|
print ("TC-2.17")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11)
|
|
|
|
vm11 = self._lock_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11)
|
|
|
|
vm11 = self._unlock_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11)
|
|
|
|
# 2.18. users 12/13 can NOT lock/unlock the instance.
|
|
|
|
print ("TC-2.18")
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11)
|
|
|
|
#Lock attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._lock_server("vm11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-lock-server:lock to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11)
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._lock_server("vm11")
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11)
|
|
|
|
#Unlock attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._unlock_server("vm11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-lock-server:unlock to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11)
|
|
|
|
#Test restore
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._unlock_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
if debug: print(vm11)
|
|
|
|
# 2.19. user11 can stop the instance
|
|
|
|
print ("TC-2.19")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
#Stop action succeeds for the project admin
|
|
vm11 = self._stop_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "SHUTOFF"
|
|
|
|
#Test restore
|
|
vm11 = self._start_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.20. users 12/13 can NOT stop the instance
|
|
|
|
print ("TC-2.20")
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
#Stop attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
#Exception occurs
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._stop_server("vm11")
|
|
assert err.match("Policy doesn't allow os_compute_api:servers:stop to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.21. user11 can soft reboot the instance
|
|
|
|
print ("TC-2.21")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
#Soft reboot action succeeds for the project admin
|
|
vm11 = self._reboot_server("vm11", 'soft')
|
|
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.22. users 12/13 can NOT soft reboot the instance
|
|
|
|
print ("TC-2.22")
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
#Soft reboot attempt fails for project members
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._reboot_server("vm11", 'soft')
|
|
assert err.match("Policy doesn't allow os_compute_api:servers:reboot to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.23.user11 can hard reboot the instance
|
|
|
|
print ("TC-2.23")
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Hard reboot action succeeds for the project admin
|
|
vm11 = self._reboot_server("vm11", 'hard')
|
|
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.24. users 12/13 can NOT hard reboot the instance
|
|
|
|
print ("TC-2.24")
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
#Hard reboot attempt fails for project members
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._reboot_server("vm11", 'hard')
|
|
assert err.match("Policy doesn't allow os_compute_api:servers:reboot to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.25. user11 can rebuild the instance
|
|
|
|
print ("TC-2.25")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Rebuild action succeeds for the project admin
|
|
vm11 = self._rebuild_server("vm11", "vm11", self.user11.get("password"), "cirros")
|
|
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.26. users 12/13 can NOT rebuild the instance
|
|
|
|
print ("TC-2.26")
|
|
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
#Rebuild attempt fails for project members
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._rebuild_server("vm11", "vm11", user.get("password"), "cirros")
|
|
assert err.match("Policy doesn't allow os_compute_api:servers:rebuild to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.27. user11 can shelve/unshelve the instance
|
|
|
|
print ("TC-2.27")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Test setup
|
|
vm11 = self._get_server("vm11")
|
|
assert vm11.name == "vm11"
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
#Shelve action succeeds for the project admin
|
|
vm11 = self._shelve_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "SHELVED_OFFLOADED"
|
|
|
|
#Test restore
|
|
vm11 = self._unshelve_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.28. users 12/13 can NOT shelve the instance
|
|
|
|
print ("TC-2.28")
|
|
|
|
#Shelve attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._shelve_server("vm11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-shelve:shelve to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
#Test setup
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._shelve_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "SHELVED_OFFLOADED"
|
|
|
|
#Unshelve attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._unshelve_server("vm11")
|
|
assert err.match("Policy doesn't allow os_compute_api:os-shelve:unshelve to be performed")
|
|
|
|
vm11 = self._get_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "SHELVED_OFFLOADED"
|
|
|
|
#Test restore
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._unshelve_server("vm11")
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
# 2.29. users 12/13 can NOT delete the instance
|
|
|
|
print ("TC-2.29")
|
|
|
|
#Delete attempt fails for project members
|
|
for user in (self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
assert "vm11" in [s.name for s in self._list_servers()]
|
|
|
|
with pytest.raises(exceptions.HttpException) as err:
|
|
assert self._delete_server("vm11")
|
|
assert err.match("Policy doesn't allow os_compute_api:servers:delete to be performed")
|
|
|
|
assert "vm11" in [s.name for s in self._list_servers()]
|
|
|
|
# 2.30. user11 can delete the instance
|
|
|
|
print ("TC-2.30")
|
|
|
|
self.set_connections_for_user(self.user11)
|
|
|
|
#Delete action succeeds for the project admin
|
|
self._delete_server("vm11")
|
|
assert "vm11" not in [s.name for s in self._list_servers()]
|
|
|
|
# TC-3
|
|
# Description:
|
|
# users 11/12/13 can retrieve list and detail server of project1
|
|
def test_uc_nova_3(self, create_external_network, create_router_vr11, tc_teardown):
|
|
"""
|
|
1. user11 can create an instance of project1
|
|
2. users 11/12/13 can list/detail the server of project1
|
|
"""
|
|
|
|
# 3.1. user11 can create an instance of project1
|
|
|
|
print ("\nTC-3.1")
|
|
|
|
#Test Setup
|
|
extnet, extsubnet = create_external_network
|
|
self.set_connections_for_user(self.user11)
|
|
network11 = self._create_network("network11")
|
|
assert network11 is not None
|
|
|
|
subnet11 = self._create_subnet("subnet11", "network11", cidr="10.10.20.0/24", gateway_ip="10.10.20.1")
|
|
assert subnet11 is not None
|
|
vr11 = create_router_vr11
|
|
|
|
#Create
|
|
self.set_connections_for_user(self.user11)
|
|
vm11 = self._create_server("vm-instance-11", "cirros", "m1.tiny", network_name="network11")
|
|
if debug: print(vm11.name)
|
|
assert vm11.name == "vm-instance-11"
|
|
if debug: print(vm11.status)
|
|
assert vm11.status == "ACTIVE"
|
|
|
|
vm11 = self._get_server("vm-instance-11")
|
|
assert vm11.name == "vm-instance-11"
|
|
assert "vm-instance-11" in [s.name for s in self._list_servers()]
|
|
|
|
# 3.2. users 11/12/13 can list/detail the server of project1
|
|
|
|
print ("TC-3.2")
|
|
|
|
for user in (self.user11, self.user12, self.user13):
|
|
self.set_connections_for_user(user)
|
|
|
|
#List
|
|
assert "vm-instance-11" in [s.name for s in self._list_servers()]
|
|
vm11 = self._get_server("vm-instance-11")
|
|
assert vm11.name == "vm-instance-11"
|
|
|
|
#Detail
|
|
vm11 = self._get_server("vm-instance-11")
|
|
if debug: print(vm11.name)
|
|
assert vm11.name == "vm-instance-11"
|