4 # Copyright 2017 RIFT.IO Inc
6 # Licensed under the Apache License, Version 2.0 (the "License");
7 # you may not use this file except in compliance with the License.
8 # You may obtain a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
25 import rift
.auto
.descriptor
27 gi
.require_version('RwConmanYang', '1.0')
28 gi
.require_version('RwProjectVnfdYang', '1.0')
29 gi
.require_version('RwProjectNsdYang', '1.0')
30 gi
.require_version('RwNsrYang', '1.0')
31 gi
.require_version('RwVnfrYang', '1.0')
32 gi
.require_version('RwRbacInternalYang', '1.0')
33 gi
.require_version('RwRbacPlatformYang', '1.0')
34 gi
.require_version('RwProjectYang', '1.0')
35 gi
.require_version('RwUserYang', '1.0')
36 gi
.require_version('RwOpenidcProviderYang', '1.0')
37 from gi
.repository
import (
48 RwOpenidcProviderYang
,
50 gi
.require_version('RwKeyspec', '1.0')
51 from gi
.repository
.RwKeyspec
import quoted_key
53 @pytest.fixture(scope
='session')
54 def complex_scaling_factor():
57 @pytest.mark
.incremental
58 class TestRbacSetup(object):
59 def test_onboarded_vnfds_project_independent(self
, descriptors
, logger
, rbac_platform_proxy
, rw_conman_proxy
, rw_user_proxy
,
60 rw_project_proxy
, rbac_user_passwd
, user_domain
, fmt_vnfd_catalog_xpath
, session_class
, confd_host
, fmt_vnfd_id_xpath
, rw_rbac_int_proxy
):
61 """Same VNFDs on boarded in two different projects. VNFD changes in one project shouldn't affect another."""
62 map_project_user_roles
= {
63 'user1': ('project_test_onboarded_vnfds_project_independent_1', 'rw-project-mano:catalog-admin'),
64 'user2': ('project_test_onboarded_vnfds_project_independent_2', 'rw-project:project-admin'),
66 user_to_modify_vnfds
, user_not_supposed_to_see_vnfd_changes
= 'user1', 'user2'
68 modified_vnfd_name
= 'test_rbac_vnfd'
70 logger
.debug('descriptors being used: {}'.format(descriptors
))
72 for user
, project_role_tuple
in map_project_user_roles
.items():
73 project_name
, role
= project_role_tuple
74 logger
.debug('Creating user {} with {}'.format(user
, project_role_tuple
))
76 rift
.auto
.mano
.create_project(rw_conman_proxy
, project_name
)
77 rift
.auto
.mano
.create_user(rw_user_proxy
, user
, rbac_user_passwd
, user_domain
)
78 if 'platform' in role
:
79 rift
.auto
.mano
.assign_platform_role_to_user(rbac_platform_proxy
, role
, user
, user_domain
, rw_rbac_int_proxy
)
81 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, role
, user
,
82 project_name
, user_domain
, rw_rbac_int_proxy
)
84 logger
.debug('User {} onboarding the packages'.format(user
))
85 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, user
, rbac_user_passwd
)
86 user_sessions
[user
] = user_session
87 for descriptor
in descriptors
:
88 rift
.auto
.descriptor
.onboard(user_session
, descriptor
, project
=project_name
)
90 vnfd_pxy
= user_sessions
[user_to_modify_vnfds
].proxy(RwProjectVnfdYang
)
91 vnfd_xpath
= '{}/vnfd'.format(fmt_vnfd_catalog_xpath
.format(project
=quoted_key(map_project_user_roles
[user_to_modify_vnfds
][0])))
92 for vnfd
in vnfd_pxy
.get(vnfd_xpath
, list_obj
=True).vnfd
:
93 logger
.debug('Changing the vnfd name from {} to {} for user {}'.format(vnfd
.name
, modified_vnfd_name
, user_to_modify_vnfds
))
94 vnfd
.name
= modified_vnfd_name
95 vnfd_pxy
.replace_config(fmt_vnfd_id_xpath
.format(
96 project
=quoted_key(map_project_user_roles
[user_to_modify_vnfds
][0]), vnfd_id
=quoted_key(vnfd
.id)), vnfd
)
98 for vnfd
in vnfd_pxy
.get(vnfd_xpath
, list_obj
=True).vnfd
:
99 assert vnfd
.name
== modified_vnfd_name
101 vnfd_pxy
= user_sessions
[user_not_supposed_to_see_vnfd_changes
].proxy(RwProjectVnfdYang
)
102 vnfd_xpath
= '{}/vnfd'.format(fmt_vnfd_catalog_xpath
.format(project
=quoted_key(map_project_user_roles
[user_not_supposed_to_see_vnfd_changes
][0])))
103 for vnfd
in vnfd_pxy
.get(vnfd_xpath
, list_obj
=True).vnfd
:
104 logger
.debug('Verifying the vnfd name {} for user {} did not change to {}'.format(
105 vnfd
.name
, user_not_supposed_to_see_vnfd_changes
, modified_vnfd_name
))
106 assert vnfd
.name
!= modified_vnfd_name
108 def test_multi_projects_multi_vnf(
109 self
, rw_project_proxy
, rw_conman_proxy
, cloud_account
,
110 cloud_module
, descriptors
, session_class
,
111 confd_host
, user_domain
, mgmt_session
, fmt_nsd_catalog_xpath
,
112 logger
, rw_rbac_int_proxy
):
113 """Creates multiple projects, cloud accounts and then
114 instantiates them. Then it lets the instantiated NS's run for a minute
115 after which gets terminated. Use the SCALE_FACTOR to adjust the number
116 of instantiations."""
118 def instantiate_nsr_not_wait(nsr
, rwnsr_proxy
, project
='default'):
119 ns_instance_opdata_xpath
= '/project[name={}]/ns-instance-opdata'.format(quoted_key(project
))
120 rwnsr_proxy
.create_config('/rw-project:project[rw-project:name={}]/nsr:ns-instance-config/nsr:nsr'.format(quoted_key(project
)), nsr
)
121 nsr_opdata
= rwnsr_proxy
.get('{}/nsr[ns-instance-config-ref={}]'.format(ns_instance_opdata_xpath
, quoted_key(nsr
.id)))
122 assert nsr_opdata
is not None
124 nsr_opdata
= rwnsr_proxy
.get(ns_instance_opdata_xpath
)
125 nsr_
= [nsr_
for nsr_
in nsr_opdata
.nsr
if nsr_
.ns_instance_config_ref
==nsr
.id][0]
127 #Creating multiple projects according to the scale factor
130 for idx
in range(1,SCALE_FACTOR
+1):
131 rift
.auto
.mano
.create_project(rw_conman_proxy
, 'cloud_project_{}'.format(idx
))
132 PROJECT_LIST
['cloud_project_{}'.format(idx
)] = None
133 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, 'rw-project:project-admin', 'admin', 'cloud_project_{}'
134 .format(idx
), 'system', rw_rbac_int_proxy
)
135 #Creating cloud accounts, uploading descriptors, instantiating NS
136 for project_name
in PROJECT_LIST
:
137 rift
.auto
.mano
.create_cloud_account(mgmt_session
, cloud_account
, project_name
)
138 for descriptor
in descriptors
:
139 rift
.auto
.descriptor
.onboard(mgmt_session
, descriptor
, project
=project_name
)
140 admin_nsd_pxy
= mgmt_session
.proxy(RwProjectNsdYang
)
141 nsd_catalog
= admin_nsd_pxy
.get_config(fmt_nsd_catalog_xpath
.format(project
=quoted_key(project_name
)))
143 nsd
= nsd_catalog
.nsd
[0]
144 nsr
= rift
.auto
.descriptor
.create_nsr(cloud_account
.name
, nsd
.name
, nsd
)
145 PROJECT_LIST
[project_name
] = nsr
147 for project_name
, NSR
in PROJECT_LIST
.items():
148 admin_rwnsr_pxy
= mgmt_session
.proxy(RwNsrYang
)
149 admin_rwvnfr_pxy
= mgmt_session
.proxy(RwVnfrYang
)
150 admin_rwvlr_pxy
= mgmt_session
.proxy(RwVlrYang
)
151 instantiate_nsr_not_wait(NSR
, admin_rwnsr_pxy
,
152 project
=project_name
)
154 # Waiting for NS's to get started and configured.
155 for project_name
in PROJECT_LIST
:
156 admin_rwnsr_pxy
= mgmt_session
.proxy(RwNsrYang
)
157 nsr_opdata
= admin_rwnsr_pxy
.get('/rw-project:project[rw-project:name={}]/ns-instance-opdata'.format(quoted_key(project_name
)))
158 nsrs
= nsr_opdata
.nsr
161 xpath
= "/rw-project:project[rw-project:name={}]/ns-instance-opdata/nsr[ns-instance-config-ref={}]/operational-status".format(
162 quoted_key(project_name
), quoted_key(nsr
.ns_instance_config_ref
))
163 admin_rwnsr_pxy
.wait_for(xpath
, "running", fail_on
=['failed'], timeout
=400)
166 xpath
= "/rw-project:project[rw-project:name={}]/ns-instance-opdata/nsr[ns-instance-config-ref={}]/config-status".format(
167 quoted_key(project_name
), quoted_key(nsr
.ns_instance_config_ref
))
168 admin_rwnsr_pxy
.wait_for(xpath
, "configured", fail_on
=['failed'], timeout
=400)
170 # Letting the started NS's run for a minute after which is terminated
171 start_time
= time
.time()
172 while (time
.time() - start_time
) < 60:
174 for project_name
in PROJECT_LIST
:
175 rift
.auto
.descriptor
.terminate_nsr(
176 admin_rwvnfr_pxy
, admin_rwnsr_pxy
, admin_rwvlr_pxy
, logger
,
177 project
=project_name
)
179 def test_descriptor_nsr_persistence_check(
180 self
, rw_conman_proxy
, rw_user_proxy
, rw_project_proxy
,
181 cloud_account
, cloud_module
, mgmt_session
, descriptors
, logger
,
182 user_domain
, session_class
, confd_host
, rbac_user_passwd
,
183 fmt_nsd_catalog_xpath
, rw_rbac_int_proxy
):
184 """Creates a project and cloud account for it. Uploads descriptors.
185 Logs in as project-admin and checks if the uploaded descriptors
186 are still there, after which he logs out.
187 Then instantiates nsr. Again logs in as project admin and checks
188 if the instantiated nsr is still there."""
189 # Creating a project, assigning project admin and creating
190 # a cloud account for the project
191 for idx
in range(1,6):
192 rift
.auto
.mano
.create_project(rw_conman_proxy
, 'xcloud_project_{}'.format(idx
))
193 rift
.auto
.mano
.create_user(rw_user_proxy
, 'project_admin_{}'.format(idx
), rbac_user_passwd
, user_domain
)
194 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, 'rw-project:project-admin', 'project_admin_{}'
195 .format(idx
), 'xcloud_project_{}'.format(idx
), user_domain
, rw_rbac_int_proxy
)
196 rift
.auto
.mano
.create_cloud_account(mgmt_session
, cloud_account
, 'xcloud_project_{}'.format(idx
))
197 #Uploading descriptors and verifying its existence from another user(project admin)
198 for descriptor
in descriptors
:
199 rift
.auto
.descriptor
.onboard(mgmt_session
, descriptor
, project
='xcloud_project_{}'.format(idx
))
200 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, 'project_admin_{}'.format(idx
), rbac_user_passwd
)
201 project_admin_nsd_pxy
= user_session
.proxy(RwProjectNsdYang
)
202 nsd_catalog
= project_admin_nsd_pxy
.get_config(fmt_nsd_catalog_xpath
.format(project
=quoted_key('xcloud_project_{}'.format(idx
))))
203 assert nsd_catalog
, "Descriptor Not found on try no: {}".format(idx
)
204 nsd
= nsd_catalog
.nsd
[0]
205 nsr
= rift
.auto
.descriptor
.create_nsr(cloud_account
.name
, nsd
.name
, nsd
)
206 rift
.auto
.mano
.close_session(user_session
)
207 #Instantiating the nsr and verifying its existence from another user(project admin), after which it gets terminated
208 admin_rwnsr_pxy
= mgmt_session
.proxy(RwNsrYang
)
209 admin_rwvnfr_pxy
= mgmt_session
.proxy(RwVnfrYang
)
210 admin_rwvlr_pxy
= mgmt_session
.proxy(RwVlrYang
)
212 rift
.auto
.descriptor
.instantiate_nsr(nsr
, admin_rwnsr_pxy
, logger
, project
='xcloud_project_{}'.format(idx
))
213 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, 'project_admin_{}'.format(idx
), rbac_user_passwd
)
214 pxy
= user_session
.proxy(RwNsrYang
)
215 nsr_opdata
= pxy
.get('/rw-project:project[rw-project:name={}]/ns-instance-opdata'.format(quoted_key('xcloud_project_{}'.format(idx
))))
216 nsrs
= nsr_opdata
.nsr
218 xpath
= "/rw-project:project[rw-project:name={}]/ns-instance-opdata/nsr[ns-instance-config-ref={}]/config-status".format(
219 quoted_key('xcloud_project_{}'.format(idx
)), quoted_key(nsr
.ns_instance_config_ref
))
220 pxy
.wait_for(xpath
, "configured", fail_on
=['failed'], timeout
=60)
221 rift
.auto
.mano
.close_session(user_session
)
222 rift
.auto
.descriptor
.terminate_nsr(
223 admin_rwvnfr_pxy
, admin_rwnsr_pxy
, admin_rwvlr_pxy
, logger
,
224 project
='xcloud_project_{}'.format(idx
))
226 def delete_records(self
, nsd_proxy
, vnfd_proxy
, project_name
='default'):
227 """Delete the NSD & VNFD records."""
228 nsds
= nsd_proxy
.get(
229 "/rw-project:project[rw-project:name={}]/nsd-catalog/nsd".format(
230 quoted_key(project_name
)),
234 "/rw-project:project[rw-project:name={}]".format(
235 quoted_key(project_name
)) +
236 "/nsd-catalog/nsd[id={}]".format(quoted_key(nsd
.id))
238 nsd_proxy
.delete_config(xpath
)
240 nsds
= nsd_proxy
.get(
241 "/rw-project:project[rw-project:name={}]/nsd-catalog/nsd".format(
242 quoted_key(project_name
)),
244 assert nsds
is None or len(nsds
.nsd
) == 0
246 vnfds
= vnfd_proxy
.get(
247 "/rw-project:project[rw-project:name={}]/vnfd-catalog/vnfd".format(
248 quoted_key(project_name
)),
250 for vnfd_record
in vnfds
.vnfd
:
252 "/rw-project:project[rw-project:name={}]/".format(
253 quoted_key(project_name
)) +
254 "vnfd-catalog/vnfd[id={}]".format(quoted_key(vnfd_record
.id))
256 vnfd_proxy
.delete_config(xpath
)
258 vnfds
= vnfd_proxy
.get(
259 "/rw-project:project[rw-project:name={}]/vnfd-catalog/vnfd".format(
260 quoted_key(project_name
)),
262 assert vnfds
is None or len(vnfds
.vnfd
) == 0
264 def test_delete_project_and_vim_accounts(
265 self
, rw_conman_proxy
, rw_user_proxy
, logger
,
266 rbac_user_passwd
, user_domain
, rw_project_proxy
, rw_rbac_int_proxy
,
267 mgmt_session
, cloud_module
, cloud_account
, descriptors
,
268 fmt_nsd_catalog_xpath
, session_class
, confd_host
):
269 """Testing vim accounts."""
270 # Create a project and three cloud accounts for it.
271 rift
.auto
.mano
.create_project(rw_conman_proxy
, 'vim_project')
272 rift
.auto
.mano
.assign_project_role_to_user(
273 rw_project_proxy
, 'rw-project:project-admin', 'admin',
274 'vim_project', 'system', rw_rbac_int_proxy
)
275 for idx
in range(1, 4):
276 rift
.auto
.mano
.create_cloud_account(
277 mgmt_session
, cloud_account
,
278 'vim_project', 'cloud_account_{}'.format(idx
))
279 # Uploading descriptors
280 for descriptor
in descriptors
:
281 rift
.auto
.descriptor
.onboard(
282 mgmt_session
, descriptor
, project
='vim_project')
283 nsd_pxy
= mgmt_session
.proxy(RwProjectNsdYang
)
284 nsd_catalog
= nsd_pxy
.get_config(fmt_nsd_catalog_xpath
.format(
285 project
=quoted_key('vim_project')))
287 nsd
= nsd_catalog
.nsd
[0]
288 nsr
= rift
.auto
.descriptor
.create_nsr(
289 'cloud_account_1', nsd
.name
, nsd
)
290 # Instantiating the nsr
291 rwnsr_pxy
= mgmt_session
.proxy(RwNsrYang
)
292 rift
.auto
.descriptor
.instantiate_nsr(
293 nsr
, rwnsr_pxy
, logger
, project
='vim_project')
294 # Trying to delete the project before taking the instance down
297 message
="Project deletion should've failed"):
298 rift
.auto
.mano
.delete_project(rw_conman_proxy
, 'vim_project')
299 # Trying to delete the vim account before taking the instance down
302 message
="Vim account deletion should've failed"):
303 rift
.auto
.mano
.delete_cloud_account(
304 mgmt_session
, 'cloud_account_1', 'vim_project')
305 # Terminating the nsr
306 rwvnfr_pxy
= mgmt_session
.proxy(RwVnfrYang
)
307 rwvlr_pxy
= mgmt_session
.proxy(RwVlrYang
)
308 rift
.auto
.descriptor
.terminate_nsr(
309 rwvnfr_pxy
, rwnsr_pxy
, rwvlr_pxy
, logger
, project
='vim_project')
310 # Delete all cloud accounts for the project
311 for idx
in range(1, 4):
312 rift
.auto
.mano
.delete_cloud_account(
313 mgmt_session
, 'cloud_account_{}'.format(idx
), 'vim_project')
314 # Delete the uploaded descriptors
315 vnfd_proxy
= mgmt_session
.proxy(RwProjectVnfdYang
)
316 self
.delete_records(nsd_pxy
, vnfd_proxy
, 'vim_project')
318 rift
.auto
.mano
.delete_project(rw_conman_proxy
, 'vim_project')
319 # Check in rw-rbac-internal if project is removed
320 rwinternal_xpath
= '/rw-rbac-internal/role'
322 rw_rbac_int_proxy
.get(
323 rwinternal_xpath
, list_obj
=True)
325 keys
= [role
['keys'] for role
in response
if 'keys' in role
]
327 assert 'vim_project' not in key
, "Improper project deletion"
330 not pytest
.config
.getoption("--complex-scaling"),
331 reason
="need --complex-scaling option to run")
332 def test_complex_scaling(
333 self
, rw_conman_proxy
, rw_user_proxy
, rbac_user_passwd
,
334 user_domain
, rw_project_proxy
, rw_rbac_int_proxy
, logger
,
335 rbac_platform_proxy
, user_roles
, platform_roles
, mgmt_session
,
336 cloud_module
, cloud_account
, rw_ro_account_proxy
,
337 tbac
, fmt_nsd_catalog_xpath
, descriptors
, complex_scaling_factor
):
338 """Complex scaling - Default values.
340 No. of projects - 25 (Two users & two cloud accounts per project)
341 No. of users - 50 (Two roles per user)
342 No. of cloud accounts - 50
343 No. of RO accounts - 25 (50 if you are considering the default 'rift').
345 # This test can be controlled using complex_scaling_factor fixture
346 logger
.debug('Creating projects')
347 for idx
in range(1, complex_scaling_factor
+ 1):
348 rift
.auto
.mano
.create_project(
349 rw_conman_proxy
, 'scaling_project_{}'.format(idx
)
351 logger
.debug('Create users, cloud accounts double the no. of projects')
352 for idx
in range(1, (2 * complex_scaling_factor
) + 1):
353 project_index
= int((idx
+ 1) / 2)
354 rift
.auto
.mano
.create_user(
355 rw_user_proxy
, 'scaling_user_{}'.format(idx
),
356 rbac_user_passwd
, user_domain
)
357 # Each user has a project role & platform role
358 pr_role
= random
.choice(user_roles
)
359 pl_role
= random
.choice(platform_roles
)
360 rift
.auto
.mano
.assign_project_role_to_user(
361 rw_project_proxy
, pr_role
, 'scaling_user_{}'.format(idx
),
362 'scaling_project_{}'.format(project_index
), user_domain
,
364 rift
.auto
.mano
.assign_platform_role_to_user(
365 rbac_platform_proxy
, pl_role
,
366 'scaling_user_{}'.format(idx
), user_domain
, rw_rbac_int_proxy
)
367 # Creating two cloud accounts for each project
368 rift
.auto
.mano
.create_cloud_account(
369 mgmt_session
, cloud_account
,
370 'scaling_project_{}'.format(project_index
),
371 'cloud_account_{}'.format(idx
)
373 logger
.debug('Creating RO accounts')
374 for idx
in range(1, complex_scaling_factor
+ 1):
375 rift
.auto
.mano
.create_ro_account(
376 rw_ro_account_proxy
, 'ro_account_{}'.format(idx
),
377 'scaling_project_{}'.format(idx
)
379 # Uploading descriptors
380 for descriptor
in descriptors
:
381 rift
.auto
.descriptor
.onboard(
382 mgmt_session
, descriptor
,
383 project
='scaling_project_{}'.format(idx
)
385 nsd_pxy
= mgmt_session
.proxy(RwProjectNsdYang
)
386 nsd_catalog
= nsd_pxy
.get_config(
387 fmt_nsd_catalog_xpath
.format(
388 project
=quoted_key('scaling_project_{}'.format(idx
))
394 not pytest
.config
.getoption("--complex-scaling"),
395 reason
="need --complex-scaling option to run")
396 def test_complex_scaling_verification(
397 self
, complex_scaling_factor
, rw_project_proxy
, rw_ro_account_proxy
,
398 mgmt_session
, fmt_nsd_catalog_xpath
, cloud_module
, logger
):
399 """Reboot verification script for test_complex_scaling."""
400 for idx
in range(1, complex_scaling_factor
+ 1):
402 logger
.debug('Verification: projects, ro accounts started')
403 project_name
= 'scaling_project_{}'.format(idx
)
404 project_cm_config_xpath
= '/project[name={project_name}]/project-state'
405 project_
= rw_project_proxy
.get_config(
406 project_cm_config_xpath
.format(
407 project_name
=quoted_key(project_name
)
412 # Verifying RO Accounts
413 ro_account_name
= 'ro_account_{}'.format(idx
)
414 ro_obj
= rw_ro_account_proxy
.get_config(
415 '/project[name={}]/ro-account/account[name={}]'.format(
416 quoted_key(project_name
), quoted_key(ro_account_name
))
418 assert ro_obj
.name
== ro_account_name
419 assert ro_obj
.ro_account_type
== 'openmano'
420 logger
.debug('Verification: descriptors, cloud accounts started')
421 # Verifying Descriptors
422 nsd_pxy
= mgmt_session
.proxy(RwProjectNsdYang
)
423 nsd_catalog
= nsd_pxy
.get_config(
424 fmt_nsd_catalog_xpath
.format(
425 project
=quoted_key(project_name
)
429 for idx
in range(1, (2 * complex_scaling_factor
) + 1):
430 # Verifying cloud accounts
431 project_index
= int((idx
+ 1) / 2)
432 project_name
= 'scaling_project_{}'.format(project_index
)
433 cloud_acc_name
= 'cloud_account_{}'.format(idx
)
435 '/project[name={project}]/cloud/account[name={account_name}]'
437 cloud_pxy
= mgmt_session
.proxy(cloud_module
)
438 response
= cloud_pxy
.get(fmt_cloud_xpath
.format(
439 project
=quoted_key(project_name
),
440 account_name
=quoted_key(cloud_acc_name
))
442 assert response
.name
== cloud_acc_name
445 def test_change_visibility_same_session(self
, session_class
, rw_conman_proxy
, confd_host
, logger
,
446 user_domain
, project_keyed_xpath
, rw_project_proxy
, rw_rbac_int_proxy
, rw_user_proxy
):
447 """admin make changes which is seen by the operator already logged in for the same project.
449 oper is logged in. admin assigns oper to a new project X. oper should be able to see the new project X being \
450 in the same session without re-logging-in.
452 user
= 'oper2' if user_domain
!= 'default' else 'oper'
453 oper_user
, oper_passwd
= [user
]*2
455 if user_domain
!= 'default':
456 rift
.auto
.mano
.create_user(rw_user_proxy
, oper_user
, oper_passwd
, user_domain
)
457 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, 'rw-project:project-oper', oper_user
,
458 'default', user_domain
, rw_rbac_int_proxy
)
459 oper_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, oper_user
, oper_passwd
)
460 oper_conman_pxy
= oper_session
.proxy(RwProjectYang
)
462 default_project_cm_config_xpath
= project_keyed_xpath
.format(project_name
=quoted_key('default'))+'/project-state'
463 assert oper_conman_pxy
.get_config(default_project_cm_config_xpath
, list_obj
=True)
465 # admin assigns oper 'project-admin' role under a new project
466 new_project
= 'project_test_change_visibility_same_session_1'
467 rift
.auto
.mano
.create_project(rw_project_proxy
, new_project
)
468 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, 'rw-project:project-admin', oper_user
, new_project
,
469 user_domain
, rw_rbac_int_proxy
)
471 # Check oper user should be able to access the new project
472 new_project_cm_config_xpath
= project_keyed_xpath
.format(project_name
=quoted_key(new_project
))+'/project-state'
473 assert oper_conman_pxy
.get_config(new_project_cm_config_xpath
, list_obj
=True)
475 def test_super_admin(
476 self
, rw_user_proxy
, rbac_platform_proxy
, rw_project_proxy
,
477 session_class
, confd_host
, rbac_user_passwd
, user_domain
,
479 """Variou tests on the super-admin role."""
480 # Creating two super admins and then deleting the first one.
481 rift
.auto
.mano
.create_user(
482 rw_user_proxy
, 'super_admin', rbac_user_passwd
, user_domain
)
483 rift
.auto
.mano
.assign_platform_role_to_user(
484 rbac_platform_proxy
, 'rw-rbac-platform:super-admin',
485 'super_admin', user_domain
, rw_rbac_int_proxy
)
486 rift
.auto
.mano
.create_user(
487 rw_user_proxy
, 'super_admin_2', rbac_user_passwd
, user_domain
)
488 rift
.auto
.mano
.assign_platform_role_to_user(
489 rbac_platform_proxy
, 'rw-rbac-platform:super-admin',
490 'super_admin_2', user_domain
, rw_rbac_int_proxy
)
492 user_session
= rift
.auto
.mano
.get_session(
493 session_class
, confd_host
, 'super_admin_2', rbac_user_passwd
)
494 pxy
= user_session
.proxy(RwRbacPlatformYang
)
496 "/rbac-platform-config/" +
497 "user[user-name={user}][user-domain={domain}]"
499 pxy
.delete_config(role_keyed_path
.format(
500 user
=quoted_key('super_admin'), domain
=quoted_key(user_domain
))
502 pxy
= user_session
.proxy(RwUserYang
)
503 rift
.auto
.mano
.delete_user(pxy
, 'super_admin', user_domain
)
504 rift
.auto
.mano
.close_session(user_session
)
506 @pytest.mark
.skipif(not pytest
.config
.getoption("--tbac"), reason
="need --tbac option to run")
507 def test_token_expiry_timeout(self
, mgmt_session
, rw_user_proxy
, rw_conman_proxy
, rbac_user_passwd
, user_domain
,
508 confd_host
, logger
, rw_project_proxy
, rw_rbac_int_proxy
, session_class
):
509 """Set 30 seconds as token-expiry-timeout; then verifies an user session is automatically expired after 30 secs"""
510 test_user
, role
= 'user-1', 'rw-project:project-oper'
511 test_proj
= 'project_test_token_expiry_timeout'
512 token_expiry_timeout
= 30
514 logger
.debug('Creating user {} under project {} and assigning it {}'.format(test_user
, test_proj
, role
))
515 rift
.auto
.mano
.create_project(rw_conman_proxy
, test_proj
)
516 rift
.auto
.mano
.create_user(rw_user_proxy
, test_user
, rbac_user_passwd
, user_domain
)
517 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, role
, test_user
, test_proj
, user_domain
, rw_rbac_int_proxy
)
519 # admin user setting token_expiry_timeout
520 openidc_provider_xpath
= '/rw-openidc-provider:openidc-provider-config'
521 openidc_provider
= RwOpenidcProviderYang
.YangData_RwOpenidcProvider_OpenidcProviderConfig
.from_dict(
522 {'token_expiry_timeout': 30})
523 pxy
= mgmt_session
.proxy(RwOpenidcProviderYang
)
524 logger
.debug('Settig token_expiry_timeout to {} secs'.format(token_expiry_timeout
))
525 pxy
.replace_config(openidc_provider_xpath
, openidc_provider
)
527 # Verifying if token_expiry_timeout is set in openidc-provider-config
528 openidc_provider
= pxy
.get_config(openidc_provider_xpath
)
529 assert openidc_provider
530 assert openidc_provider
.token_expiry_timeout
== token_expiry_timeout
532 def project_access(user_session
):
533 user_conman_pxy
= user_session
.proxy(RwProjectYang
)
534 assert user_conman_pxy
.get_config('/project[name={}]/project-state'.format(quoted_key(test_proj
)), list_obj
=True)
536 # Log-in as test_user and validate operations under that user getting 'Unauthorized' after time-out
537 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, test_user
, rbac_user_passwd
)
538 project_access(user_session
)
540 logger
.debug('Sleeping for {} secs'.format(token_expiry_timeout
))
541 time
.sleep(token_expiry_timeout
+5)
543 with pytest
.raises(Exception, message
='logged-in user able to access default project even after token expired'):
544 logger
.debug('User {} trying to access default project. It should fail')
545 project_access(user_session
)
547 # log-in as same user and perform the same operation. It should pass now.
548 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, test_user
, rbac_user_passwd
)
549 project_access(user_session
)