Patrole

Add support for handling different error codes for different roles

Bug #1772710 reported by Cliff Parsons on 2018-05-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Patrole	Fix Released	Undecided	Cliff Parsons

Bug Description

Patrole currently cannot handle the scenario where two possible error codes can returned by Neutron policy enforcement for a failed policy check (403 Forbidden and 404 NotFound), depending on what role is being tested. Patrole framework can only handle one expected_exception. Example below:

Roles:
  admin
  role1
  role2
  role3

Rules:
“show_action”: “role:admin or role:role1”
“update_action”: “role:admin”

In the enforcement of “update_action”, Neutron would return a 403 Forbidden for role1, but a 404 NotFound for role2 and role3 (because policy check fails on “show_action” for role2/role3). The Patrole test case would pass for roles admin and role1, but would always fail for role2 and role3 even though Neutron is producing the correct/expected result.

Revision history for this message

Ghanshyam Mann (ghanshyammann) wrote on 2018-06-15:

in-progress - https://review.openstack.org/#/c/570262/

Changed in patrole:
status:	New → In Progress

Cliff Parsons (cliffhparsons) on 2018-06-15

Changed in patrole:
assignee:	nobody → Cliff Parsons (cliffhparsons)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-19: Fix merged to patrole (master)

Reviewed: https://review.openstack.org/570262
Committed: https://git.openstack.org/cgit/openstack/patrole/commit/?id=35a77113fccfd5659c123adb2cc142836cdd764d
Submitter: Zuul
Branch: master

commit 35a77113fccfd5659c123adb2cc142836cdd764d
Author: Cliff Parsons <email address hidden>
Date: Mon May 7 14:03:40 2018 -0500

Add support for handling multiple error codes

    Patrole currently cannot handle the scenario where two possible
    error codes can returned by Neutron policy enforcement for a
    failed policy check (403 Forbidden and 404 NotFound), depending
    on what role is being tested. Patrole framework can only handle
    one expected_exception.

    This change builds upon the recent multi-policy support to allow
    the tester to specify multiple policy actions for one API test.
    For each policy action, the tester would need to specify an
    error code that is expected if the action should fail. If multiple
    policy actions fail, the error code for the first policy action
    that fails will be expected to be returned from the service.

    This handles the cases in Neutron where Neutron may use a second
    policy rule to determine whether or not to return a 403 error
    code or a 404 error code. The tester is expected to list out
    which policy rules are being tested by the API endpoint test.

Change-Id: I5cd861e184da90bb27f8ba454c94fa4d4f99c269
Closes-Bug: #1772710

Changed in patrole:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-16: Fix included in openstack/patrole 0.4.0

This issue was fixed in the openstack/patrole 0.4.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.