Skip to content

ROX-11101: Remove deprecated resources from QA tests #3116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rhybrillou merged 7 commits into from
Nov 7, 2022
Merged

ROX-11101: Remove deprecated resources from QA tests #3116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7239565
ROX-11101: Remove deprecated resources from QA tests
rhybrillou Sep 15, 2022
b0b0b34
Restore permissions replaced by Administration and Compliance as thes…
rhybrillou Sep 21, 2022
fa85e3d
Restore cardinality in altered QA test
rhybrillou Sep 23, 2022
0d1f41c
Split Role permission back out of Access
rhybrillou Oct 14, 2022
0847c7a
Style fix
rhybrillou Oct 18, 2022
786001a
Ensure CI passes
rhybrillou Nov 2, 2022
c827cad
Style fix
rhybrillou Nov 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 5 additions & 8 deletions qa-tests-backend/src/test/groovy/ComplianceTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1323,25 +1323,22 @@ class ComplianceTest extends BaseSpecification {
String testRole = RoleService.createRoleWithScopeAndPermissionSet(
"Compliance Test Automation Role " + UUID.randomUUID(),
remoteStackroxAccessScope.id, [
"APIToken" : READ_WRITE_ACCESS,
"Access" : READ_WRITE_ACCESS,
// TODO: ROX-12750 Remove AllComments, ComplianceRuns, ComplianceRunSchedule, Config, DebugLogs,
// ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig and ServiceIdentity permissions.
// TODO: ROX-12750 Add Administration permission
"AllComments" : READ_WRITE_ACCESS,
"AuthProvider" : READ_WRITE_ACCESS,
"BackupPlugins" : READ_WRITE_ACCESS,
"Config" : READ_WRITE_ACCESS,
"DebugLogs" : READ_WRITE_ACCESS,
"Detection" : READ_WRITE_ACCESS,
"Group" : READ_WRITE_ACCESS,
"ImageIntegration" : READ_WRITE_ACCESS,
"Licenses" : READ_WRITE_ACCESS,
"Notifier" : READ_WRITE_ACCESS,
"Integration" : READ_WRITE_ACCESS,
"Policy" : READ_WRITE_ACCESS,
"ProbeUpload" : READ_WRITE_ACCESS,
"Role" : READ_WRITE_ACCESS,
"ScannerBundle" : READ_WRITE_ACCESS,
"ScannerDefinitions" : READ_WRITE_ACCESS,
"SensorUpgradeConfig" : READ_WRITE_ACCESS,
"ServiceIdentity" : READ_WRITE_ACCESS,
"User" : READ_WRITE_ACCESS,
"Cluster" : READ_WRITE_ACCESS,
"Compliance" : READ_WRITE_ACCESS,
"ComplianceRuns" : READ_WRITE_ACCESS,
Expand Down
2 changes: 2 additions & 0 deletions qa-tests-backend/src/test/groovy/DiagnosticBundleTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ class DiagnosticBundleTest extends BaseSpecification {
RoleService.createRoleWithScopeAndPermissionSet(debugLogsReaderRoleName,
UNRESTRICTED_SCOPE_ID,
[
// TODO: ROX-12750 Replace DebugLogs with Administration
"DebugLogs": RoleOuterClass.Access.READ_ACCESS,
"Cluster": RoleOuterClass.Access.READ_ACCESS,
]
Expand All @@ -42,6 +43,7 @@ class DiagnosticBundleTest extends BaseSpecification {
debugLogsReaderRoleName)
Map<String, RoleOuterClass.Access> resourceToAccess =
[
// TODO: ROX-12750 Replace DebugLogs with Administration
"DebugLogs": RoleOuterClass.Access.NO_ACCESS,
"Cluster": RoleOuterClass.Access.NO_ACCESS,
]
Expand Down
55 changes: 0 additions & 55 deletions qa-tests-backend/src/test/groovy/RbacAuthTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import services.AuthProviderService
import services.BaseService
import services.ClusterService
import services.NetworkPolicyService
import services.ProcessService
import services.RoleService
import spock.lang.Shared
import spock.lang.Unroll
Expand Down Expand Up @@ -178,58 +177,4 @@ spec:
"NetworkGraph": RoleOuterClass.Access.READ_ACCESS,
"NetworkPolicy": RoleOuterClass.Access.READ_WRITE_ACCESS,] | ["NetworkPolicy"]
}

@Category(BAT)
def "Verify token with multiple roles works as expected"() {
when:
"Create two roles for individual access"
def roles = ["Indicator", "ProcessWhitelist"].collect {
Map<String, RoleOuterClass.Access> resourceToAccess = [
(it): RoleOuterClass.Access.READ_ACCESS
]
def role = RoleService.createRoleWithScopeAndPermissionSet("View ${it}",
UNRESTRICTED_SCOPE_ID, resourceToAccess)
assert RoleService.getRole(role.name)
log.info "Created Role:\n${role.name}"
role
}
assert roles.size() == 2

and:
"Create tokens that use either one or both roles"
def tokens = roles.subsequences().collect {
def token = ApiTokenService.generateToken("API Token - ${it*.name}", (it*.name).toArray(new String[0]))
assert token != null
token
}
assert tokens.size() == 3

then:
"Call to RPC method should succeed iff token represents union role"
for (def token : tokens) {
log.info "Checking behavior with token ${token.metadata.name}"
assert canDo({
ProcessService.getGroupedProcessByDeploymentAndContainer("unknown")
}, token.token, true) == (token.metadata.rolesCount > 1)
}

and:
"MyPermissions API should return the union of permissions"
for (def token : tokens) {
log.info "Checking permissions for token ${token.metadata.name}"
assert myPermissions(token.token).resourceToAccessMap.size() == token.metadata.rolesList.size()
}

cleanup:
"Revoke tokens"
for (def token : tokens) {
ApiTokenService.revokeToken(token.metadata.id)
}

and:
"Delete roles"
for (def role : roles) {
RoleService.deleteRole(role.name)
}
}
}
2 changes: 1 addition & 1 deletion qa-tests-backend/src/test/groovy/SACTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ class SACTest extends BaseSpecification {
(NOACCESSTOKEN) : [noaccess],
(ALLACCESSTOKEN) : [createRole(UNRESTRICTED_SCOPE_ID, allResourcesAccess)],
"deployments-access-token" : [createRole(remoteQaTest2.id,
["Deployment": READ_ACCESS, "Risk": READ_ACCESS])],
["Deployment": READ_ACCESS, "DeploymentExtension": READ_ACCESS])],
"getSummaryCountsToken" : [createRole(remoteQaTest1.id, allResourcesAccess)],
"listSecretsToken" : [createRole(UNRESTRICTED_SCOPE_ID, ["Secret": READ_ACCESS])],
"searchAlertsToken" : [createRole(remoteQaTest1.id, ["Alert": READ_ACCESS]), noaccess],
Expand Down