Skip to content

Commit

Permalink
test/suites: Add tests for storage pool used-by filtering.
Browse files Browse the repository at this point in the history
Signed-off-by: Mark Laing <[email protected]>
  • Loading branch information
markylaing committed Oct 22, 2024
1 parent 0819000 commit a51ac04
Showing 1 changed file with 66 additions and 0 deletions.
66 changes: 66 additions & 0 deletions test/suites/auth.sh
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,9 @@ effective_permissions: []"
lxc auth group permission remove test-group server viewer
lxc auth group permission remove test-group server project_manager

storage_pool_used_by "oidc"
LXD_CONF="${LXD_CONF2}" storage_pool_used_by "tls"

# Perform access checks
fine_grained_authorization "oidc"
LXD_CONF="${LXD_CONF2}" fine_grained_authorization "tls"
Expand Down Expand Up @@ -213,6 +216,69 @@ effective_permissions: []"
}


storage_pool_used_by() {
remote="${1}"

# test-group must have no permissions to start the test.
[ "$(lxc query /1.0/auth/groups/test-group | jq '.permissions | length')" -eq 0 ]

# Test storage pool used-by filtering
pool_name="$(lxc storage list -f csv | cut -d, -f1)"

# Used-by list should have only the default profile. Members of test-group have no permissions, so they should get an empty list.
[ "$(lxc query "/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 1 ]
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 0 ]

# Launch instance. Should appear in pool used-by list. Members of test-group still can't see anything.
lxc launch testimage c1
[ "$(lxc query "/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 2 ]
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 0 ]

# Allow members of test-group to view the instance. They should see it in the used-by list.
lxc auth group permission add test-group instance c1 can_view project=default
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 1 ]

# Take a snapshot. Used-by length should increase. Members of test-group should see the snapshot.
lxc snapshot c1
[ "$(lxc query "/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 3 ]
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 2 ]

# Take another snapshot and check again. This is done because filtering used-by lists takes a slightly different code
# path when it receives multiple URLs of the same entity type.
lxc snapshot c1
[ "$(lxc query "/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 4 ]
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 3 ]

# Perform the same checks with storage volume snapshots.
lxc storage volume create "${pool_name}" vol1
[ "$(lxc query "/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 5 ]
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 3 ]

lxc auth group permission add test-group storage_volume vol1 can_view project=default pool="${pool_name}" type=custom
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 4 ]

lxc storage volume snapshot "${pool_name}" vol1
[ "$(lxc query "/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 6 ]
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 5 ]

lxc storage volume snapshot "${pool_name}" vol1
[ "$(lxc query "/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 7 ]
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 6 ]

# Remove can_view on the volume and check the volume and snapshots are no longer in the used-by list.
lxc auth group permission remove test-group storage_volume vol1 can_view project=default pool="${pool_name}" type=custom
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 3 ]

# Remove can_view on the instance and check the volume and snapshots are no longer in the used-by list.
lxc auth group permission remove test-group instance c1 can_view project=default
[ "$(lxc_remote query "${remote}:/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 0 ]

# Clean up storage volume used-by tests.
lxc delete c1 -f
lxc storage volume delete "${pool_name}" vol1
[ "$(lxc query "/1.0/storage-pools/${pool_name}" | jq '.used_by | length')" -eq 1 ]
}

fine_grained_authorization() {
remote="${1}"

Expand Down

0 comments on commit a51ac04

Please sign in to comment.