[
https://issues.apache.org/jira/browse/CLOUDSTACK-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15254008#comment-15254008
]
ASF GitHub Bot commented on CLOUDSTACK-8562:
--------------------------------------------
Github user jburwell commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/1489#discussion_r60744764
--- Diff: test/integration/smoke/test_dynamicroles.py ---
@@ -0,0 +1,474 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from marvin.cloudstackAPI import *
+from marvin.cloudstackTestCase import cloudstackTestCase
+from marvin.cloudstackException import CloudstackAPIException
+from marvin.lib.base import Account, Role, RolePermission
+from marvin.lib.utils import cleanup_resources
+from nose.plugins.attrib import attr
+
+import random
+import re
+
+
+class TestData(object):
+ """Test data object that is required to create resources
+ """
+ def __init__(self):
+ self.testdata = {
+ "account": {
+ "email": "[email protected]",
+ "firstname": "Marvin",
+ "lastname": "TestUser",
+ "username": "roletest",
+ "password": "password",
+ },
+ "role": {
+ "name": "MarvinFake Role ",
+ "type": "User",
+ "description": "Fake Role created by Marvin test"
+ },
+ "roleadmin": {
+ "name": "MarvinFake Admin Role ",
+ "type": "Admin",
+ "description": "Fake Admin Role created by Marvin test"
+ },
+ "roledomainadmin": {
+ "name": "MarvinFake DomainAdmin Role ",
+ "type": "DomainAdmin",
+ "description": "Fake Domain-Admin Role created by Marvin
test"
+ },
+ "rolepermission": {
+ "roleid": 1,
+ "rule": "listVirtualMachines",
+ "permission": "allow",
+ "description": "Fake role permission created by Marvin
test"
+ },
+ "apiConfig": {
+ "listApis": "allow",
+ "listAccounts": "allow",
+ "listClusters": "deny",
+ "*VM*": "allow",
+ "*Host*": "deny"
+ }
+ }
+
+
+class TestDynamicRoles(cloudstackTestCase):
+ """Tests dynamic role and role permission management in CloudStack
+ """
+
+ def setUp(self):
+ self.apiclient = self.testClient.getApiClient()
+ self.dbclient = self.testClient.getDbConnection()
+ self.testdata = TestData().testdata
+
+ feature_enabled =
self.apiclient.listCapabilities(listCapabilities.listCapabilitiesCmd()).dynamicrolesenabled
+ if not feature_enabled:
+ self.skipTest("Dynamic Role-Based API checker not enabled,
skipping test")
+
+ self.testdata["role"]["name"] += self.getRandomString()
+ self.role = Role.create(
+ self.apiclient,
+ self.testdata["role"]
+ )
+
+ self.testdata["rolepermission"]["roleid"] = self.role.id
+ self.rolepermission = RolePermission.create(
+ self.apiclient,
+ self.testdata["rolepermission"]
+ )
+
+ self.account = Account.create(
+ self.apiclient,
+ self.testdata["account"],
+ roleid=self.role.id
+ )
+ self.cleanup = [
+ self.account,
+ self.rolepermission,
+ self.role
+ ]
+
+
+ def tearDown(self):
+ try:
+ cleanup_resources(self.apiclient, self.cleanup)
+ except Exception as e:
+ self.debug("Warning! Exception in tearDown: %s" % e)
+
+
+ def translateRoleToAccountType(self, role_type):
+ if role_type == "User":
+ return 0
+ elif role_type == "Admin":
+ return 1
+ elif role_type == "DomainAdmin":
+ return 2
+ elif role_type == "ResourceAdmin":
+ return 3
+ return -1
+
+
+ def getUserApiClient(self, username, domain='ROOT', role_type='User'):
+ self.user_apiclient =
self.testClient.getUserApiClient(UserName=username, DomainName='ROOT',
type=self.translateRoleToAccountType(role_type))
+ return self.user_apiclient
+
+
+ def getRandomString(self):
+ return
"".join(random.choice("abcdefghijklmnopqrstuvwxyz0123456789") for _ in
range(10))
+
+
+ @attr(tags=['advanced', 'simulator', 'basic', 'sg'],
required_hardware=False)
+ def test_role_lifecycle_list(self):
+ """
+ Tests that default four roles exist
+ """
+ roleTypes = {1: "Admin", 2: "ResourceAdmin", 3: "DomainAdmin", 4:
"User"}
+ for idx in range(1,5):
+ list_roles = Role.list(self.apiclient, id=idx)
+ self.assertEqual(
+ isinstance(list_roles, list),
+ True,
+ "List Roles response was not a valid list"
+ )
+ self.assertEqual(
+ len(list_roles),
+ 1,
+ "List Roles response size was not 1"
+ )
+ self.assertEqual(
+ list_roles[0].type,
+ roleTypes[idx],
+ msg="Default role type differs from expectation"
+ )
+
+
+ @attr(tags=['advanced', 'simulator', 'basic', 'sg'],
required_hardware=False)
+ def test_role_lifecycle_create(self):
+ """
+ Tests normal lifecycle operations for roles
+ """
+ # Reuse self.role created in setUp()
+ try:
+ role = Role.create(
+ self.apiclient,
+ self.testdata["role"]
+ )
+ self.fail("An exception was expected when creating duplicate
roles")
+ except CloudstackAPIException: pass
+
+ list_roles = Role.list(self.apiclient, id=self.role.id)
+ self.assertEqual(
+ isinstance(list_roles, list),
+ True,
+ "List Roles response was not a valid list"
+ )
+ self.assertEqual(
+ len(list_roles),
+ 1,
+ "List Roles response size was not 1"
+ )
+ self.assertEqual(
+ list_roles[0].name,
+ self.testdata["role"]["name"],
+ msg="Role name does not match the test data"
+ )
+ self.assertEqual(
+ list_roles[0].type,
+ self.testdata["role"]["type"],
+ msg="Role type does not match the test data"
+ )
+
+
+ @attr(tags=['advanced', 'simulator', 'basic', 'sg'],
required_hardware=False)
+ def test_role_lifecycle_update(self):
+ """
+ Tests role update
+ """
+ self.account.delete(self.apiclient)
+ new_role_name = "MarvinFakeRoleNewName-" + self.getRandomString()
+ self.role.update(self.apiclient, name=new_role_name, type='Admin')
+ update_role = Role.list(self.apiclient, id=self.role.id)[0]
+ self.assertEqual(
+ update_role.name,
+ new_role_name,
+ msg="Role name does not match updated role name"
+ )
+ self.assertEqual(
+ update_role.type,
+ 'Admin',
+ msg="Role type does not match updated role type"
+ )
+
+
+ @attr(tags=['advanced', 'simulator', 'basic', 'sg'],
required_hardware=False)
+ def test_role_lifecycle_update_role_inuse(self):
+ """
+ Tests role update when role is in use by an account
+ """
+ new_role_name = "MarvinFakeRoleNewName-" + self.getRandomString()
+ try:
+ self.role.update(self.apiclient, name=new_role_name,
type='Admin')
+ self.fail("Updation of role type is not allowed when role is
in use")
+ except CloudstackAPIException: pass
+
+ self.role.update(self.apiclient, name=new_role_name)
+ update_role = Role.list(self.apiclient, id=self.role.id)[0]
+ self.assertEqual(
+ update_role.name,
+ new_role_name,
+ msg="Role name does not match updated role name"
+ )
+
+
+ @attr(tags=['advanced', 'simulator', 'basic', 'sg'],
required_hardware=False)
+ def test_role_lifecycle_delete(self):
+ """
+ Tests role update
+ """
+ self.account.delete(self.apiclient)
+ self.role.delete(self.apiclient)
+ list_roles = Role.list(self.apiclient, id=self.role.id)
+ self.assertEqual(
+ list_roles,
+ None,
+ "List Roles response should be empty"
+ )
+
+
+ @attr(tags=['advanced', 'simulator', 'basic', 'sg'],
required_hardware=False)
+ def test_role_inuse_deletion(self):
+ """
+ Test to ensure role in use cannot be deleted
+ """
+ try:
+ self.role.delete(self.apiclient)
+ self.fail("Role with any account should not be allowed to be
deleted")
+ except CloudstackAPIException: pass
+
+
+ @attr(tags=['advanced', 'simulator', 'basic', 'sg'],
required_hardware=False)
+ def test_default_role_deletion(self):
+ """
+ Test to ensure 4 default roles cannot be deleted
+ """
+ for idx in range(1,5):
+ cmd = deleteRole.deleteRoleCmd()
+ cmd.id = idx
+ try:
+ self.apiclient.deleteRole(cmd)
+ self.fail("Default role got deleted with id: " + idx)
+ except CloudstackAPIException: pass
+
+
+ @attr(tags=['advanced', 'simulator', 'basic', 'sg'],
required_hardware=False)
+ def test_rolepermission_lifecycle_list(self):
+ """
+ Tests listing of default role's permission
+ """
+ for idx in range(1,5):
+ list_rolepermissions = RolePermission.list(self.apiclient,
roleid=idx)
+ self.assertEqual(
+ isinstance(list_rolepermissions, list),
+ True,
+ "List rolepermissions response was not a valid list"
+ )
+ self.assertTrue(
+ len(list_rolepermissions) > 0,
+ "List rolepermissions response was empty"
+ )
+
+
+ @attr(tags=['advanced', 'simulator', 'basic', 'sg'],
required_hardware=False)
+ def test_rolepermission_lifecycle_create(self):
+ """
+ Tests creation of role permission
+ """
+ # Reuse self.rolepermission created in setUp()
+ try:
+ rolepermission = RolePermission.create(
+ self.apiclient,
+ self.testdata["rolepermission"]
+ )
+ self.fail("An exception was expected when creating duplicate
role permissions")
+ except CloudstackAPIException: pass
--- End diff --
Is there any value asserting on the contents of the error message?
> User Definable Roles
> --------------------
>
> Key: CLOUDSTACK-8562
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8562
> Project: CloudStack
> Issue Type: New Feature
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Reporter: Paul Angus
> Assignee: Rohit Yadav
>
> Static command.properties moved to database and made user definable
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
