Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B09E6191CC for ; Mon, 25 Apr 2016 08:53:11 +0000 (UTC) Received: (qmail 84855 invoked by uid 500); 25 Apr 2016 08:53:11 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 84801 invoked by uid 500); 25 Apr 2016 08:53:11 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 84789 invoked by uid 99); 25 Apr 2016 08:53:11 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Apr 2016 08:53:11 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id A60ACDFF32; Mon, 25 Apr 2016 08:53:10 +0000 (UTC) From: rhtyd To: dev@cloudstack.apache.org Reply-To: dev@cloudstack.apache.org References: In-Reply-To: Subject: [GitHub] cloudstack pull request: CLOUDSTACK-8562: Dynamic Role-Based API C... Content-Type: text/plain Message-Id: <20160425085310.A60ACDFF32@git1-us-west.apache.org> Date: Mon, 25 Apr 2016 08:53:10 +0000 (UTC) Github user rhtyd commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1489#discussion_r60880213 --- Diff: test/integration/smoke/test_dynamicroles.py --- @@ -0,0 +1,474 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +from marvin.cloudstackAPI import * +from marvin.cloudstackTestCase import cloudstackTestCase +from marvin.cloudstackException import CloudstackAPIException +from marvin.lib.base import Account, Role, RolePermission +from marvin.lib.utils import cleanup_resources +from nose.plugins.attrib import attr + +import random +import re + + +class TestData(object): + """Test data object that is required to create resources + """ + def __init__(self): + self.testdata = { + "account": { + "email": "mtu@test.cloud", + "firstname": "Marvin", + "lastname": "TestUser", + "username": "roletest", + "password": "password", + }, + "role": { + "name": "MarvinFake Role ", + "type": "User", + "description": "Fake Role created by Marvin test" + }, + "roleadmin": { + "name": "MarvinFake Admin Role ", + "type": "Admin", + "description": "Fake Admin Role created by Marvin test" + }, + "roledomainadmin": { + "name": "MarvinFake DomainAdmin Role ", + "type": "DomainAdmin", + "description": "Fake Domain-Admin Role created by Marvin test" + }, + "rolepermission": { + "roleid": 1, + "rule": "listVirtualMachines", + "permission": "allow", + "description": "Fake role permission created by Marvin test" + }, + "apiConfig": { + "listApis": "allow", + "listAccounts": "allow", + "listClusters": "deny", + "*VM*": "allow", + "*Host*": "deny" + } + } + + +class TestDynamicRoles(cloudstackTestCase): + """Tests dynamic role and role permission management in CloudStack + """ + + def setUp(self): + self.apiclient = self.testClient.getApiClient() + self.dbclient = self.testClient.getDbConnection() + self.testdata = TestData().testdata + + feature_enabled = self.apiclient.listCapabilities(listCapabilities.listCapabilitiesCmd()).dynamicrolesenabled + if not feature_enabled: + self.skipTest("Dynamic Role-Based API checker not enabled, skipping test") + + self.testdata["role"]["name"] += self.getRandomString() + self.role = Role.create( + self.apiclient, + self.testdata["role"] + ) + + self.testdata["rolepermission"]["roleid"] = self.role.id + self.rolepermission = RolePermission.create( + self.apiclient, + self.testdata["rolepermission"] + ) + + self.account = Account.create( + self.apiclient, + self.testdata["account"], + roleid=self.role.id + ) + self.cleanup = [ + self.account, + self.rolepermission, + self.role + ] + + + def tearDown(self): + try: + cleanup_resources(self.apiclient, self.cleanup) + except Exception as e: + self.debug("Warning! Exception in tearDown: %s" % e) + + + def translateRoleToAccountType(self, role_type): + if role_type == "User": + return 0 + elif role_type == "Admin": + return 1 + elif role_type == "DomainAdmin": + return 2 + elif role_type == "ResourceAdmin": + return 3 + return -1 + + + def getUserApiClient(self, username, domain='ROOT', role_type='User'): + self.user_apiclient = self.testClient.getUserApiClient(UserName=username, DomainName='ROOT', type=self.translateRoleToAccountType(role_type)) + return self.user_apiclient + + + def getRandomString(self): + return "".join(random.choice("abcdefghijklmnopqrstuvwxyz0123456789") for _ in range(10)) + + + @attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False) + def test_role_lifecycle_list(self): + """ + Tests that default four roles exist + """ + roleTypes = {1: "Admin", 2: "ResourceAdmin", 3: "DomainAdmin", 4: "User"} + for idx in range(1,5): + list_roles = Role.list(self.apiclient, id=idx) + self.assertEqual( + isinstance(list_roles, list), + True, + "List Roles response was not a valid list" + ) + self.assertEqual( + len(list_roles), + 1, + "List Roles response size was not 1" + ) + self.assertEqual( + list_roles[0].type, + roleTypes[idx], + msg="Default role type differs from expectation" + ) + + + @attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False) + def test_role_lifecycle_create(self): + """ + Tests normal lifecycle operations for roles + """ + # Reuse self.role created in setUp() + try: + role = Role.create( + self.apiclient, + self.testdata["role"] + ) + self.fail("An exception was expected when creating duplicate roles") + except CloudstackAPIException: pass + + list_roles = Role.list(self.apiclient, id=self.role.id) + self.assertEqual( + isinstance(list_roles, list), + True, + "List Roles response was not a valid list" + ) + self.assertEqual( + len(list_roles), + 1, + "List Roles response size was not 1" + ) + self.assertEqual( + list_roles[0].name, + self.testdata["role"]["name"], + msg="Role name does not match the test data" + ) + self.assertEqual( + list_roles[0].type, + self.testdata["role"]["type"], + msg="Role type does not match the test data" + ) + + + @attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False) + def test_role_lifecycle_update(self): + """ + Tests role update + """ + self.account.delete(self.apiclient) + new_role_name = "MarvinFakeRoleNewName-" + self.getRandomString() + self.role.update(self.apiclient, name=new_role_name, type='Admin') + update_role = Role.list(self.apiclient, id=self.role.id)[0] + self.assertEqual( + update_role.name, + new_role_name, + msg="Role name does not match updated role name" + ) + self.assertEqual( + update_role.type, + 'Admin', + msg="Role type does not match updated role type" + ) + + + @attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False) + def test_role_lifecycle_update_role_inuse(self): + """ + Tests role update when role is in use by an account + """ + new_role_name = "MarvinFakeRoleNewName-" + self.getRandomString() + try: + self.role.update(self.apiclient, name=new_role_name, type='Admin') + self.fail("Updation of role type is not allowed when role is in use") + except CloudstackAPIException: pass + + self.role.update(self.apiclient, name=new_role_name) + update_role = Role.list(self.apiclient, id=self.role.id)[0] + self.assertEqual( + update_role.name, + new_role_name, + msg="Role name does not match updated role name" + ) + + + @attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False) + def test_role_lifecycle_delete(self): + """ + Tests role update + """ + self.account.delete(self.apiclient) + self.role.delete(self.apiclient) + list_roles = Role.list(self.apiclient, id=self.role.id) + self.assertEqual( + list_roles, + None, + "List Roles response should be empty" + ) + + + @attr(tags=['advanced', 'simulator', 'basic', 'sg'], required_hardware=False) + def test_role_inuse_deletion(self): + """ + Test to ensure role in use cannot be deleted + """ + try: + self.role.delete(self.apiclient) + self.fail("Role with any account should not be allowed to be deleted") + except CloudstackAPIException: pass --- End diff -- We can do that but since we've catching any ACS server api exception caught by CloudStackAPIException, we know it's ACS specific API exception and not any HTTP exception. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastructure@apache.org or file a JIRA ticket with INFRA. ---