Add switch role validation to Patrole framework

Registered by Felipe Monteiro

Currently, no role validation is performed when calling switch_role. This
is problematic for the following reasons:

  - The only "validation" right now checks whether switchToRbacRole is None.
    If so, None is returned. The validation used is nowhere near as robust
    as it should be -- what if a string or int is passed in? -- and an error
    should be thrown instead of silently returning None.
  - If switch_role is called with the same boolean value twice, then the
    rbac_role under test is never switched to: this should be detected
    and flagged as an error.
  - If switch_role is not called in a test, then an error should definitely
    be thrown as well, because then the test may pass as a false positive.

Thus, it is essential that some kind of validation be added to the framework
so that switchToRbacRole is being used consistently correctly, especially
given that if it is used incorrectly, tests unrelated to the bug might be
impacted. This is because if switch_role is not executed consistently,
the rbac user performing the next action might have too many or too
few permissions.

Blueprint information

Status:
Complete
Approver:
Samantha Blanco
Priority:
Medium
Drafter:
Felipe Monteiro
Direction:
Needs approval
Assignee:
Felipe Monteiro
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Felipe Monteiro
Completed by
Felipe Monteiro

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/add-switch-role-validation,n,z

Addressed by: https://review.openstack.org/438203
    Add role-switching validation to Patrole framework.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.