Source code for patrole_tempest_plugin.rbac_exceptions
# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.lib import exceptions
[docs]class BasePatroleException(exceptions.TempestException):
message = "An unknown RBAC exception occurred"
[docs]class BasePatroleResponseBodyException(BasePatroleException):
message = "Response body incomplete due to RBAC authorization failure"
[docs]class RbacMissingAttributeResponseBody(BasePatroleResponseBodyException):
"""Raised when a list or show action is missing an attribute following
RBAC authorization failure.
"""
message = ("The response body is missing the expected %(attribute)s due "
"to policy enforcement failure")
[docs]class RbacPartialResponseBody(BasePatroleResponseBodyException):
"""Raised when a list action only returns a subset of the available
resources.
For example, admin can return more resources than member for a list action.
"""
message = ("The response body only lists a subset of the available "
"resources due to partial policy enforcement failure. Response "
"body: %(body)s")
[docs]class RbacEmptyResponseBody(BasePatroleResponseBodyException):
"""Raised when a list or show action is empty following RBAC authorization
failure.
"""
message = "The response body is empty due to policy enforcement failure."
[docs]class RbacResourceSetupFailed(BasePatroleException):
message = "RBAC resource setup failed"
[docs]class RbacOverPermissionException(BasePatroleException):
"""Raised when the expected result is failure but the actual result is
pass.
"""
message = "Unauthorized action was allowed to be performed"
[docs]class RbacUnderPermissionException(BasePatroleException):
"""Raised when the expected result is pass but the actual result is
failure.
"""
message = "Authorized action was not allowed to be performed"
[docs]class RbacExpectedWrongException(BasePatroleException):
"""Raised when the expected exception does not match the actual exception
raised, when both are instances of Forbidden or NotFound, indicating
the test provides a wrong argument to `expected_error_codes`.
"""
message = ("Expected %(expected)s to be raised but %(actual)s was raised "
"instead. Actual exception: %(exception)s")
[docs]class RbacInvalidServiceException(BasePatroleException):
"""Raised when an invalid service is passed to ``rbac_rule_validation``
decorator.
"""
message = "Attempted to test an invalid service"
[docs]class RbacParsingException(BasePatroleException):
message = "Attempted to test an invalid policy file or action"
[docs]class RbacInvalidErrorCode(BasePatroleException):
message = "Unsupported error code passed in test"
[docs]class RbacOverrideRoleException(BasePatroleException):
"""Raised when override_role is used incorrectly or fails somehow.
Used for safeguarding against false positives that might occur when the
expected exception isn't raised inside the ``override_role`` context.
Specifically, when:
* ``override_role`` isn't called
* an exception is raised before ``override_role`` context
* an exception is raised after ``override_role`` context
"""
message = "Override role failure or incorrect usage"
[docs]class RbacValidateListException(BasePatroleException):
"""Raised when override_role_and_validate_list is used incorrectly.
Specifically, when:
* Neither ``resource_id`` nor ``resources`` is initialized
* Both ``resource_id`` and ``resources`` are initialized
* The ``ctx.resources`` variable wasn't set in
override_role_and_validate_list context.
"""
message = "Incorrect usage of override_role_and_validate_list: %(reason)s"