[1LP][RFR] Automate test to verify key pair visibility in child tenants

cfme/cloud/keypairs.py

@@ -10,6 +10,7 @@
 
 from cfme.base.ui import BaseLoggedInPage
 from cfme.common import Taggable
+from cfme.common.vm_views import SetOwnershipView
 from cfme.exceptions import ItemNotFound
 from cfme.exceptions import KeyPairNotFound
 from cfme.modeling.base import BaseCollection
@@ -184,6 +185,41 @@ def download_private_key(self):
         view.toolbar.configuration.item_select('Download private key')
         view.flash.assert_no_error()
 
+    def set_ownership(self, owner=None, group=None, cancel=False, reset=False):
+        """Set keypair ownership
+
+        Args:
+            user (User): user object for ownership
+            group (Group): group object for ownership
+            click_cancel (bool): Whether to cancel form submission
+            click_reset (bool): Whether to reset form after filling
+        """
+        view = navigate_to(self, 'SetOwnership', wait_for_view=0)
+        fill_result = view.form.fill({
+            'user_name': owner.name if owner else None,
+            'group_name': group.description if group else None})
+        if not fill_result:
+            view.form.cancel_button.click()
+            view = self.create_view(navigator.get_class(self, 'Details').VIEW)
+            view.flash.assert_success_message('Set Ownership was cancelled by the user')
+            return
+
+        # Only if the form changed
+        if reset:
+            view.form.reset_button.click()
+            view.flash.assert_message('All changes have been reset', 'warning')
+            # Cancel after reset
+            assert view.form.is_displayed
+            view.form.cancel_button.click()
+        elif cancel:
+            view.form.cancel_button.click()
+            view.flash.assert_no_error()
+        else:
+            # save the form
+            view.form.save_button.click()
+            view = self.create_view(navigator.get_class(self, 'Details').VIEW)
+            view.flash.assert_no_error()
+
 
 @attr.s
 class KeyPairCollection(BaseCollection):
@@ -253,6 +289,15 @@ def step(self, *args, **kwargs):
         item.click()
 
 
+@navigator.register(KeyPair, 'SetOwnership')
+class SetOwnership(CFMENavigateStep):
+    VIEW = SetOwnershipView
+    prerequisite = NavigateToSibling('Details')
+
+    def step(self, *args, **kwargs):
+        self.prerequisite_view.toolbar.configuration.item_select('Set Ownership')
+
+
 @navigator.register(KeyPairCollection, 'Add')
 class Add(CFMENavigateStep):
     VIEW = KeyPairAddView

cfme/fixtures/multi_tenancy.py

@@ -0,0 +1,63 @@
+"""
+Fixtures for Multi Tenancy
+"""
+import fauxfactory
+import pytest
+
+from cfme.base.credential import Credential
+from cfme.utils.update import update
+
+
+@pytest.fixture(scope='module')
+def child_tenant(appliance):
+    """Fixture to create a child tenant with 'My Company' as its parent"""
+    child_tenant = appliance.collections.tenants.create(
+        name=fauxfactory.gen_alphanumeric(15, start="child_tenant_"),
+        description='tenant description',
+        parent=appliance.collections.tenants.get_root_tenant()
+    )
+    yield child_tenant
+    child_tenant.delete_if_exists()
+
+
+@pytest.fixture(scope='module')
+def tenant_role(appliance, request):
+    """Fixture to create a tenant_administrator role with additional product features"""
+    role = appliance.collections.roles.instantiate(name='EvmRole-tenant_administrator')
+    tenant_role = role.copy()
+
+    # Note: BZ 1278484 - tenant admin role has no permissions to create new roles
+    with update(tenant_role):
+        if appliance.version < '5.11':
+            tenant_role.product_features = [
+                (['Everything', 'Settings', 'Configuration', 'Settings'], True),
+                (['Everything', 'Compute', 'Clouds', 'Auth Key Pairs'], True)
+            ]
+        else:
+            tenant_role.product_features = [
+                (['Everything', 'Main Configuration', 'Settings'], True),
+                (['Everything', 'Compute', 'Clouds', 'Auth Key Pairs'], True)
+            ]
+    yield tenant_role
+    tenant_role.delete_if_exists()
+
+
+@pytest.fixture(scope='module')
+def child_tenant_admin_user(appliance, request, child_tenant, tenant_role):
+    """Fixture to create a tenant admin user"""
+    credential = Credential(principal=fauxfactory.gen_alphanumeric(start="uid"),
+                    secret='redhat')
+    group = appliance.collections.groups.create(
+        description=fauxfactory.gen_alphanumeric(15, start="tenant_grp_"), role=tenant_role.name,
+        tenant=f'My Company/{child_tenant.name}')
+
+    tenant_admin_user = appliance.collections.users.create(
+        name=fauxfactory.gen_alphanumeric(start='tenant_admin_user'),
+        credential=credential,
+        email='[email protected]',
+        groups=group,
+        cost_center='Workload',
+        value_assign='Database')
+    yield tenant_admin_user
+    tenant_admin_user.delete_if_exists()
+    group.delete_if_exists()

cfme/tests/cloud/test_keypairs.py

@@ -11,8 +11,9 @@
 from cfme.utils.blockers import BZ
 
 pytestmark = [
+    pytest.mark.tier(3),
     test_requirements.cloud,
-    pytest.mark.usefixtures('setup_provider_modscope'),
+    pytest.mark.usefixtures('has_no_providers_modscope', 'setup_provider_modscope'),
     pytest.mark.provider([EC2Provider, OpenStackProvider], scope="module")
 ]
 
@@ -29,7 +30,6 @@ def keypair(appliance, provider):
 
 @pytest.mark.meta(blockers=[BZ(1718833, forced_streams=["5.10", "5.11"],
                                unblock=lambda provider: provider.one_of(OpenStackProvider))])
-@pytest.mark.tier(3)
 def test_keypair_crud(appliance, provider):
     """ This will test whether it will create new Keypair and then deletes it.
     Polarion:
@@ -52,7 +52,6 @@ def test_keypair_crud(appliance, provider):
     assert not keypair.exists
 
 
-@pytest.mark.tier(3)
 def test_keypair_crud_with_key(provider, appliance):
     """ This will test whether it will create new Keypair and then deletes it.
     Polarion:
@@ -78,7 +77,6 @@ def test_keypair_crud_with_key(provider, appliance):
     assert not keypair.exists
 
 
-@pytest.mark.tier(3)
 def test_keypair_create_cancel(provider, appliance):
     """ This will test cancelling on adding a keypair
     Polarion:
@@ -97,7 +95,6 @@ def test_keypair_create_cancel(provider, appliance):
     assert not keypair.exists
 
 
-@pytest.mark.tier(3)
 def test_keypair_create_name_validation(provider, appliance):
     """ This will test validating that key pair without name cannot be created.
     Polarion:
@@ -126,7 +123,6 @@ def test_keypair_create_name_validation(provider, appliance):
                                   'Keypair name contains unsafe characters'.format(keypair_name))
 
 
-@pytest.mark.tier(3)
 def test_keypair_create_invalid_key_validation(provider, appliance):
     """ This will test validating that key pair with invalid public key cannot be created.
     Polarion:
@@ -190,3 +186,35 @@ def test_download_private_key(keypair):
         initialEstimate: 1/4h
     """
     keypair.download_private_key()
+
+
+@pytest.mark.meta(automates=[1741635, 1747179])
+@test_requirements.multi_tenancy
+def test_keypair_visibility_in_tenants(appliance, child_tenant_admin_user):
+    """
+    Test to verify key pair visibility in tenants based on key pair ownership
+
+    Steps:
+        1. Copy the EvmRole_tenant_admin role to a new role (Since this role does not have the
+           Auth Key Pairs feature enabled)
+        2. In the role, enable the Auth Key Pairs feature
+        3. Add either new or existing group to the newly created tenant admin role
+           (Steps 1-3 are done through fixtures)
+        4. If the added group belongs to a child tenant, then the key pair is only visible to users
+           in that group/child tenant and also users from groups that belong to parent tenants.
+
+    Polarion:
+        assignee: nachandr
+        casecomponent: Configuration
+        caseimportance: high
+        tags: cfme_tenancy
+        initialEstimate: 1/4h
+    """
+    view = navigate_to(appliance.collections.cloud_keypairs, 'All')
+    key_pair = view.entities.get_first_entity().data['name']
+    key_pair_obj = appliance.collections.cloud_keypairs.instantiate(key_pair)
+    key_pair_obj.set_ownership(group=child_tenant_admin_user.groups[0])
+    view.flash.assert_success_message('Ownership saved for selected Key Pair')
+
+    with child_tenant_admin_user:
+        assert key_pair_obj.exists

cfme/tests/configure/test_access_control.py

@@ -104,48 +104,6 @@ def setup_openldap_user_group(appliance, two_child_tenants, openldap_auth_provid
         group.delete_if_exists()
 
 
-@pytest.fixture(scope='module')
-def child_tenant(appliance):
-    child_tenant = appliance.collections.tenants.create(
-        name=fauxfactory.gen_alphanumeric(15, start="child_tenant_"),
-        description='tenant description',
-        parent=appliance.collections.tenants.get_root_tenant()
-    )
-    yield child_tenant
-    child_tenant.delete_if_exists()
-
-
-@pytest.fixture(scope='module')
-def tenant_role(appliance, request):
-    role = appliance.collections.roles.instantiate(name='EvmRole-tenant_administrator')
-    tenant_role = role.copy()
-
-    # Note: BZ 1278484 - tenant admin role has no permissions to create new roles
-    with update(tenant_role):
-        if appliance.version < '5.11':
-            tenant_role.product_features = [
-                (['Everything', 'Settings', 'Configuration', 'Settings'], True)
-            ]
-        else:
-            tenant_role.product_features = [
-                (['Everything', 'Main Configuration', 'Settings'], True)
-            ]
-    yield tenant_role
-    tenant_role.delete_if_exists()
-
-
-@pytest.fixture(scope='module')
-def new_tenant_admin(appliance, request, child_tenant, tenant_role):
-    group = appliance.collections.groups.create(
-        description=fauxfactory.gen_alphanumeric(15, start="tenant_grp_"), role=tenant_role.name,
-        tenant=f'My Company/{child_tenant.name}')
-
-    tenant_admin = new_user(appliance, group, name='tenant_admin_user')
-    yield tenant_admin
-    tenant_admin.delete_if_exists()
-    group.delete_if_exists()
-
-
 @pytest.fixture(scope='function')
 def check_item_visibility(tag):
     def _check_item_visibility(item, user_restricted):
@@ -1574,7 +1532,8 @@ def test_superadmin_tenant_admin_crud(appliance):
 
 @pytest.mark.tier(2)
 @test_requirements.multi_tenancy
-def test_tenantadmin_group_crud(new_tenant_admin, tenant_role, child_tenant, request, appliance):
+def test_tenantadmin_group_crud(child_tenant_admin_user, tenant_role, child_tenant, request,
+        appliance):
     """
     Perform CRUD operations on groups as Tenant administrator.
 
@@ -1589,9 +1548,9 @@ def test_tenantadmin_group_crud(new_tenant_admin, tenant_role, child_tenant, req
             1. Create new tenant admin user and assign user to group EvmGroup-tenant_administrator
             2. As Tenant administrator, create new group, update group and delete group.
     """
-    with new_tenant_admin:
+    with child_tenant_admin_user:
         navigate_to(appliance.server, 'LoggedIn')
-        assert appliance.server.current_full_name() == new_tenant_admin.name
+        assert appliance.server.current_full_name() == child_tenant_admin_user.name
 
         group_collection = appliance.collections.groups
         group = group_collection.create(
@@ -1641,7 +1600,8 @@ def test_tenant_unique_catalog(appliance, request, catalog_obj):
 
 @pytest.mark.ignore_stream("upstream")
 @test_requirements.multi_tenancy
-def test_tenantadmin_user_crud(new_tenant_admin, tenant_role, child_tenant, request, appliance):
+def test_tenantadmin_user_crud(child_tenant_admin_user, tenant_role, child_tenant, request,
+        appliance):
     """
     As a Tenant Admin, I want to be able to create users in my tenant.
     Polarion:
@@ -1665,11 +1625,11 @@ def test_tenantadmin_user_crud(new_tenant_admin, tenant_role, child_tenant, requ
             must be created by superadministrator. In 5.5.0.13 after giving additional permissions
             to tenant_admin,able to create new roles
     """
-    with new_tenant_admin:
+    with child_tenant_admin_user:
         navigate_to(appliance.server, 'LoggedIn')
-        assert appliance.server.current_full_name() == new_tenant_admin.name
+        assert appliance.server.current_full_name() == child_tenant_admin_user.name
 
-        user = new_user(appliance, new_tenant_admin.groups[0])
+        user = new_user(appliance, child_tenant_admin_user.groups[0])
         request.addfinalizer(user.delete_if_exists)
         assert user.exists
 

conftest.py

@@ -59,6 +59,7 @@
     "cfme.fixtures.maximized",
     "cfme.fixtures.model_collections",
     "cfme.fixtures.multi_region",
+    "cfme.fixtures.multi_tenancy",
     "cfme.fixtures.nelson",
     "cfme.fixtures.networks",
     "cfme.fixtures.nuage",