Merge "Add functional test for access control (RBAC) with Keystone"

test/functional/__init__.py

@@ -92,15 +92,16 @@ normalized_urls = None
 # If no config was read, we will fall back to old school env vars
 swift_test_auth_version = None
 swift_test_auth = os.environ.get('SWIFT_TEST_AUTH')
-swift_test_user = [os.environ.get('SWIFT_TEST_USER'), None, None, '', '']
-swift_test_key = [os.environ.get('SWIFT_TEST_KEY'), None, None, '', '']
-swift_test_tenant = ['', '', '', '', '']
-swift_test_perm = ['', '', '', '', '']
-swift_test_domain = ['', '', '', '', '']
-swift_test_user_id = ['', '', '', '', '']
-swift_test_tenant_id = ['', '', '', '', '']
+swift_test_user = [os.environ.get('SWIFT_TEST_USER'), None, None, '', '', '']
+swift_test_key = [os.environ.get('SWIFT_TEST_KEY'), None, None, '', '', '']
+swift_test_tenant = ['', '', '', '', '', '']
+swift_test_perm = ['', '', '', '', '', '']
+swift_test_domain = ['', '', '', '', '', '']
+swift_test_user_id = ['', '', '', '', '', '']
+swift_test_tenant_id = ['', '', '', '', '', '']
 
-skip, skip2, skip3, skip_service_tokens = False, False, False, False
+skip, skip2, skip3, skip_service_tokens, skip_if_no_reseller_admin = \
+    False, False, False, False, False
 
 orig_collate = ''
 insecure = False
@@ -385,7 +386,11 @@ def in_process_setup(the_object_server=object_server):
         'service_prefix': 'SERVICE',
         # For tempauth middleware. Update reseller_prefix
         'reseller_prefix': 'AUTH, SERVICE',
-        'SERVICE_require_group': 'service'
+        'SERVICE_require_group': 'service',
+        # Reseller admin user (needs reseller_admin_role)
+        'account6': 'test6',
+        'username6': 'tester6',
+        'password6': 'testing6'
     })
 
     # If an env var explicitly specifies the proxy-server object_post_as_copy
@@ -692,6 +697,10 @@ def setup_package():
                 swift_test_user[4] = config['username5']
                 swift_test_tenant[4] = config['account5']
                 swift_test_key[4] = config['password5']
+            if 'username6' in config:
+                swift_test_user[5] = config['username6']
+                swift_test_tenant[5] = config['account6']
+                swift_test_key[5] = config['password6']
 
             for _ in range(5):
                 swift_test_perm[_] = swift_test_tenant[_] + ':' \
@@ -747,6 +756,16 @@ def setup_package():
                 % policy_specified)
             raise Exception('Failed to find specified policy %s'
                             % policy_specified)
+
+    global skip_if_no_reseller_admin
+    skip_if_no_reseller_admin = not all([not skip, swift_test_user[5],
+                                         swift_test_key[5],
+                                         swift_test_tenant[5]])
+    if not skip and skip_if_no_reseller_admin:
+        print(
+            'SKIPPING FUNCTIONAL TESTS DUE TO NO CONFIG FOR RESELLER ADMIN',
+            file=sys.stderr)
+
     get_cluster_info()
 
 

test/functional/test_object.py

@@ -71,6 +71,20 @@ class TestObject(unittest2.TestCase):
         resp = retry(put, name, use_account=use_account)
         resp.read()
         self.assertEqual(resp.status, 201)
+
+        # With keystoneauth we need the accounts to have had the project
+        # domain id persisted as sysmeta prior to testing ACLs. This may
+        # not be the case if, for example, the account was created using
+        # a request with reseller_admin role, when project domain id may
+        # not have been known. So we ensure that the project domain id is
+        # in sysmeta by making a POST to the accounts using an admin role.
+        def post(url, token, parsed, conn):
+            conn.request('POST', parsed.path, '', {'X-Auth-Token': token})
+            return check_response(conn)
+        resp = retry(post, use_account=use_account)
+        resp.read()
+        self.assertEqual(resp.status, 204)
+
         return name
 
     def tearDown(self):

test/functional/tests.py

@@ -1108,6 +1108,15 @@ class TestFileEnv(object):
 
         cls.file_size = 128
 
+        # With keystoneauth we need the accounts to have had the project
+        # domain id persisted as sysmeta prior to testing ACLs. This may
+        # not be the case if, for example, the account was created using
+        # a request with reseller_admin role, when project domain id may
+        # not have been known. So we ensure that the project domain id is
+        # in sysmeta by making a POST to the accounts using an admin role.
+        cls.account.update_metadata()
+        cls.account2.update_metadata()
+
 
 class TestFileDev(Base):
     env = TestFileEnv

test/sample.conf

@@ -58,6 +58,12 @@ password3 = testing3
 # account contains an underscore.
 #service_prefix = SERVICE
 
+# Sixth user is required for access control tests.
+# Account must have a role for reseller_admin_role(keystoneauth).
+#account6 = test
+#username6 = tester6
+#password6 = testing6
+
 collate = C
 
 # Only necessary if a pre-existing server uses self-signed certificate