From e5248a18c6525d6ce700d996508e187f7991ca59 Mon Sep 17 00:00:00 2001
From: Matthieu Huin <mhu@enovance.com>
Date: Mon, 2 Jun 2014 18:32:18 +0200
Subject: [PATCH 1/4] Adds test for CW policy file, meant to be run on devstack

---
 tests/test_CWpolicy.sh | 68 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100755 tests/test_CWpolicy.sh

diff --git a/tests/test_CWpolicy.sh b/tests/test_CWpolicy.sh
new file mode 100755
index 0000000..7826256
--- /dev/null
+++ b/tests/test_CWpolicy.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+
+# assuming a devstack with the following parameters, where swiftpolicy mw
+# was added to the swift pipeline and using CWpolicy.json
+
+OS_ADMIN=admin
+OS_ADMIN_PASSWORD=admin
+OS_ADMIN_TENANT=admin
+OS_AUTH_URL=http://localhost:5000/v2.0
+
+# CW related variables
+CW_ROLE1=upload_disabled
+CW_ROLE2=remove_only
+CW_USER=cwuser
+
+# Create user, tenant, roles
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone tenant-create --name $CW_USER
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-create --name $CW_ROLE1
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-create --name $CW_ROLE2
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-create --name $CW_USER --tenant $CW_USER --pass $CW_USER --enabled true
+
+# Let's do regular stuff first
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role Member
+
+echo "testy test" > testytest
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj1 container1 testytest
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj1 todelete testytest
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj2 todelete testytest
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj3 todelete testytest
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list 
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift stat
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj3
+
+# Now prevent uploads
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role $CW_ROLE1
+# fail
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest
+# pass
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list
+# pass
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift stat
+# pass
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj2
+# pass
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1
+
+
+# Now authorize file removal only
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-remove --user $CW_USER --tenant $CW_USER --role $CW_ROLE1
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role $CW_ROLE2
+# fail
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest
+# pass
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list
+# pass
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift stat
+# pass
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj1
+# fail
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1
+
+
+# cleanup
+rm testytest obj1
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-delete $CW_USER
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone tenant-delete $CW_USER
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE1
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE2

From d1b40bd74726290b8ecb63a36195fad5eef79a2f Mon Sep 17 00:00:00 2001
From: Matthieu Huin <mhu@enovance.com>
Date: Mon, 2 Jun 2014 19:19:05 +0200
Subject: [PATCH 2/4] Clarifies output

---
 tests/test_CWpolicy.sh | 39 +++++++++++++++++++++++++++++++++------
 1 file changed, 33 insertions(+), 6 deletions(-)

diff --git a/tests/test_CWpolicy.sh b/tests/test_CWpolicy.sh
index 7826256..5225aae 100755
--- a/tests/test_CWpolicy.sh
+++ b/tests/test_CWpolicy.sh
@@ -23,41 +23,68 @@ OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASS
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role Member
 
 echo "testy test" > testytest
+echo "Testing uploading an object/container"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj1 container1 testytest
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj1 todelete testytest
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj2 todelete testytest
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj3 todelete testytest
-OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list 
+echo "Testing list and stat"
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list container1 
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift stat
+echo "Testing deleting delobj3"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj3
 
+echo ""
 # Now prevent uploads
+echo "Applying $CW_ROLE1"
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role $CW_ROLE1
-# fail
+echo "Testing upload"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest
+if [ $? -ne 0 ]; then
+    echo "Upload forbidden, all good"
+else
+    echo "FAIL - User can upload data"
+fi;
 # pass
-OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list
+echo "Testing listing container1"
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list container1
 # pass
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift stat
 # pass
+echo "Testing deletion"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj2
 # pass
+echo "Testing download"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1
 
-
+echo ""
 # Now authorize file removal only
+echo "Applying $CW_ROLE2"
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-remove --user $CW_USER --tenant $CW_USER --role $CW_ROLE1
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role $CW_ROLE2
-# fail
+echo "Testing upload"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest
+if [ $? -ne 0 ]; then
+    echo "Upload forbidden, all good"
+else
+    echo "FAIL - User can upload data"
+fi;
 # pass
-OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list
+echo "Testing listing container1"
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list container1
 # pass
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift stat
 # pass
+echo "Testing deleting delobj1"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj1
 # fail
+echo "Testing downloading object"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1
+if [ $? -ne 0 ]; then
+    echo "Download forbidden, all good"
+else
+    echo "FAIL - User can download data"
+fi;
 
 
 # cleanup

From 99be4f593191ff4c5c8865f4898c1d31c7b8b6e8 Mon Sep 17 00:00:00 2001
From: Matthieu Huin <mhu@enovance.com>
Date: Tue, 3 Jun 2014 11:06:35 +0200
Subject: [PATCH 3/4] Improves tests, adds verification of support role

---
 tests/test_CWpolicy.sh | 79 +++++++++++++++++++++++++++++++++++++-----
 1 file changed, 70 insertions(+), 9 deletions(-)

diff --git a/tests/test_CWpolicy.sh b/tests/test_CWpolicy.sh
index 5225aae..b0081d0 100755
--- a/tests/test_CWpolicy.sh
+++ b/tests/test_CWpolicy.sh
@@ -12,17 +12,23 @@ OS_AUTH_URL=http://localhost:5000/v2.0
 CW_ROLE1=upload_disabled
 CW_ROLE2=remove_only
 CW_USER=cwuser
+CW_SUPPORT=support
 
-# Create user, tenant, roles
+# Create users, tenant, roles
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone tenant-create --name $CW_USER
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-create --name $CW_ROLE1
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-create --name $CW_ROLE2
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-create --name $CW_SUPPORT
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-create --name $CW_USER --tenant $CW_USER --pass $CW_USER --enabled true
+# support user
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-create --name $CW_SUPPORT --pass $CW_SUPPORT --enabled true
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_SUPPORT --tenant $CW_USER --role $CW_SUPPORT
 
 # Let's do regular stuff first
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role Member
 
 echo "testy test" > testytest
+echo "* Regular user"
 echo "Testing uploading an object/container"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj1 container1 testytest
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj1 todelete testytest
@@ -33,12 +39,16 @@ OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$O
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift stat
 echo "Testing deleting delobj3"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj3
+echo "Testing download - object"
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1
+echo "Testing download - container"
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1
 
 echo ""
 # Now prevent uploads
 echo "Applying $CW_ROLE1"
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role $CW_ROLE1
-echo "Testing upload"
+echo "* Testing upload"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest
 if [ $? -ne 0 ]; then
     echo "Upload forbidden, all good"
@@ -46,23 +56,25 @@ else
     echo "FAIL - User can upload data"
 fi;
 # pass
-echo "Testing listing container1"
+echo "* Testing listing container1"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list container1
 # pass
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift stat
 # pass
-echo "Testing deletion"
+echo "* Testing deletion"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj2
 # pass
-echo "Testing download"
+echo "* Testing download - object"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1
+echo "* Testing download - container"
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1
 
 echo ""
 # Now authorize file removal only
 echo "Applying $CW_ROLE2"
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-remove --user $CW_USER --tenant $CW_USER --role $CW_ROLE1
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role $CW_ROLE2
-echo "Testing upload"
+echo "* Testing upload"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest
 if [ $? -ne 0 ]; then
     echo "Upload forbidden, all good"
@@ -70,26 +82,75 @@ else
     echo "FAIL - User can upload data"
 fi;
 # pass
-echo "Testing listing container1"
+echo "* Testing listing container1"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift list container1
 # pass
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift stat
 # pass
-echo "Testing deleting delobj1"
+echo "* Testing deleting delobj1"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj1
 # fail
-echo "Testing downloading object"
+echo "* Testing downloading object"
 OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1
 if [ $? -ne 0 ]; then
     echo "Download forbidden, all good"
 else
     echo "FAIL - User can download data"
 fi;
+echo "* Testing downloading container"
+OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift download container1
+if [ $? -ne 0 ]; then
+    echo "Download forbidden, all good"
+else
+    echo "FAIL - User can download data"
+fi;
+
+
+echo ""
+# Testing support access
+echo "Testing support user"
+echo "* Testing upload"
+OS_USERNAME=$CW_SUPPORT OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_SUPPORT OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest
+if [ $? -ne 0 ]; then
+    echo "Upload forbidden, all good"
+else
+    echo "FAIL - User can upload data"
+fi;
+# pass
+echo "* Testing listing container1"
+OS_USERNAME=$CW_SUPPORT OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_SUPPORT OS_AUTH_URL=$OS_AUTH_URL swift list container1
+# pass
+OS_USERNAME=$CW_SUPPORT OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_SUPPORT OS_AUTH_URL=$OS_AUTH_URL swift stat
+# fail
+echo "* Testing deleting delobj1"
+OS_USERNAME=$CW_SUPPORT OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_SUPPORT OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj1
+if [ $? -ne 0 ]; then
+    echo "Delete forbidden, all good"
+else
+    echo "FAIL - User can delete data"
+fi;
+# fail
+echo "* Testing downloading object"
+OS_USERNAME=$CW_SUPPORT OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_SUPPORT OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1
+if [ $? -ne 0 ]; then
+    echo "Download forbidden, all good"
+else
+    echo "FAIL - User can download data"
+fi;
+echo "* Testing downloading container"
+OS_USERNAME=$CW_SUPPORT OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_SUPPORT OS_AUTH_URL=$OS_AUTH_URL swift download container1
+if [ $? -ne 0 ]; then
+    echo "Download forbidden, all good"
+else
+    echo "FAIL - User can download data"
+fi;
 
 
 # cleanup
 rm testytest obj1
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-delete $CW_SUPPORT
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-delete $CW_USER
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone tenant-delete $CW_USER
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE1
 OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE2
+OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_SUPPORT

From aeeeb89bdf1411c951c403f8fd6db5a8bb90a37a Mon Sep 17 00:00:00 2001
From: Nassim Babaci <nassim.babaci@cloudwatt.com>
Date: Tue, 3 Jun 2014 11:46:38 +0200
Subject: [PATCH 4/4] add cleanup option

---
 tests/test_CWpolicy.sh | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/tests/test_CWpolicy.sh b/tests/test_CWpolicy.sh
index 5225aae..c25feb6 100755
--- a/tests/test_CWpolicy.sh
+++ b/tests/test_CWpolicy.sh
@@ -1,5 +1,6 @@
 #!/bin/sh
 
+CLEANUP=${CLEANUP-true}
 # assuming a devstack with the following parameters, where swiftpolicy mw
 # was added to the swift pipeline and using CWpolicy.json
 
@@ -88,8 +89,15 @@ fi;
 
 
 # cleanup
-rm testytest obj1
-OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-delete $CW_USER
-OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone tenant-delete $CW_USER
-OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE1
-OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE2
+cleanup () {
+    rm testytest obj1
+    OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone user-delete $CW_USER
+    OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone tenant-delete $CW_USER
+    OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE1
+    OS_USERNAME=$OS_ADMIN OS_TENANT_NAME=$OS_ADMIN_TENANT OS_PASSWORD=$OS_ADMIN_PASSWORD OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE2
+}
+
+if [ "$CLEANUP" = "true" ]
+then
+    cleanup
+fi