tests: Add negative RBAC test against SaltAPI

This checks that if not allowed in Salt eauth perms, an authenticated user (using 'storage-operator' as a practical example) cannot run any module (using 'test.ping' as an example). See: #2634
scality · Jun 19, 2020 · 846d96b · 846d96b
1 parent 7bea636
commit 846d96b
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 19 deletions.
diff --git a/tests/post/features/salt_api.feature b/tests/post/features/salt_api.feature
@@ -14,6 +14,7 @@ Feature: SaltAPI
         When we login to SaltAPI with the ServiceAccount 'storage-operator'
         Then we can invoke '["disk.dump", "state.sls"]' on '*'
         And we have '@jobs' perms
+        And we can not ping all minions
 
     Scenario: Login to SaltAPI using an incorrect password
         Given the Kubernetes API is available

diff --git a/tests/post/steps/test_salt_api.py b/tests/post/steps/test_salt_api.py
@@ -8,6 +8,17 @@
 from pytest_bdd import parsers, scenario, then, when
 
 
+def _negation(value):
+    """Parse an optional negation after a verb (in a Gherkin feature spec)."""
+    if value == "":
+        return False
+    elif value in [" not", "not"]:
+        return True
+    else:
+        raise ValueError(
+            "Cannot parse '{}' as an optional negation".format(value)
+        )
+
 # Scenario {{{
 
 
@@ -71,26 +82,19 @@ def login_salt_api_token(host, k8s_client, account_name, version, context):
 # Then {{{
 
 
-@then('we can ping all minions')
-def ping_all_minions(host, context):
-    result = requests.post(
-        context['salt-api']['url'],
-        json=[
-            {
-                'client': 'local',
-                'tgt': '*',
-                'fun': 'test.ping',
-            },
-        ],
-        headers={
-            'X-Auth-Token': context['salt-api']['token'],
-        },
-        verify=False,
-    )
+@then(parsers.parse(
+    'we can{negated:Negation} ping all minions',
+    extra_types={'Negation': _negation}
+))
+def ping_all_minions(host, context, negated):
+    result = _salt_call(context, 'test.ping', tgt='*')
 
-    result_data = result.json()
-
-    assert result_data['return'][0] != []
+    if negated:
+        assert result.status_code == 401
+        assert 'No permission' in result.text
+    else:
+        result_data = result.json()
+        assert result_data['return'][0] != []
 
 
 @then('authentication fails')
@@ -164,4 +168,25 @@ def _salt_api_login(address, username=None, password=None, token=None):
     return result
 
 
+def _salt_call(context, fun, tgt='*', arg=None, kwarg=None):
+    action = {
+        'client': 'local',
+        'tgt': tgt,
+        'fun': fun,
+    }
+    if arg is not None:
+        action['arg'] = arg
+    if kwarg is not None:
+        action['kwarg'] = kwarg
+
+    return requests.post(
+        context['salt-api']['url'],
+        json=[action],
+        headers={
+            'X-Auth-Token': context['salt-api']['token'],
+        },
+        verify=False,
+    )
+
+
 # }}}