Source code for patrole_tempest_plugin.rbac_exceptions

# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from tempest.lib import exceptions


[docs]class BasePatroleException(exceptions.TempestException): message = "An unknown RBAC exception occurred"
[docs]class BasePatroleResponseBodyException(BasePatroleException): message = "Response body incomplete due to RBAC authorization failure"
[docs]class RbacMissingAttributeResponseBody(BasePatroleResponseBodyException): """Raised when a list or show action is missing an attribute following RBAC authorization failure. """ message = ("The response body is missing the expected %(attribute)s due " "to policy enforcement failure")
[docs]class RbacPartialResponseBody(BasePatroleResponseBodyException): """Raised when a list action only returns a subset of the available resources. For example, admin can return more resources than member for a list action. """ message = ("The response body only lists a subset of the available " "resources due to partial policy enforcement failure. Response " "body: %(body)s")
[docs]class RbacEmptyResponseBody(BasePatroleResponseBodyException): """Raised when a list or show action is empty following RBAC authorization failure. """ message = "The response body is empty due to policy enforcement failure."
[docs]class RbacResourceSetupFailed(BasePatroleException): message = "RBAC resource setup failed"
[docs]class RbacOverPermissionException(BasePatroleException): """Raised when the expected result is failure but the actual result is pass. """ message = "Unauthorized action was allowed to be performed"
[docs]class RbacUnderPermissionException(BasePatroleException): """Raised when the expected result is pass but the actual result is failure. """ message = "Authorized action was not allowed to be performed"
[docs]class RbacExpectedWrongException(BasePatroleException): """Raised when the expected exception does not match the actual exception raised, when both are instances of Forbidden or NotFound, indicating the test provides a wrong argument to `expected_error_codes`. """ message = ("Expected %(expected)s to be raised but %(actual)s was raised " "instead. Actual exception: %(exception)s")
[docs]class RbacInvalidServiceException(BasePatroleException): """Raised when an invalid service is passed to ``rbac_rule_validation`` decorator. """ message = "Attempted to test an invalid service"
[docs]class RbacParsingException(BasePatroleException): message = "Attempted to test an invalid policy file or action"
[docs]class RbacInvalidErrorCode(BasePatroleException): message = "Unsupported error code passed in test"
[docs]class RbacOverrideRoleException(BasePatroleException): """Raised when override_role is used incorrectly or fails somehow. Used for safeguarding against false positives that might occur when the expected exception isn't raised inside the ``override_role`` context. Specifically, when: * ``override_role`` isn't called * an exception is raised before ``override_role`` context * an exception is raised after ``override_role`` context """ message = "Override role failure or incorrect usage"
[docs]class RbacValidateListException(BasePatroleException): """Raised when override_role_and_validate_list is used incorrectly. Specifically, when: * Neither ``resource_id`` nor ``resources`` is initialized * Both ``resource_id`` and ``resources`` are initialized * The ``ctx.resources`` variable wasn't set in override_role_and_validate_list context. """ message = "Incorrect usage of override_role_and_validate_list: %(reason)s"