tests: Add RBAC test for VM.other_config

This verifies that RBAC key checking works for VM.set_other_config

Signed-off-by: Andrii Sultanov <andriy.sultanov@vates.tech>

Author: last-genius

ocaml/tests/dune

@@ -7,7 +7,7 @@
       test_cluster_host test_cluster test_pusb test_network_sriov
       test_client test_valid_ref_list suite_alcotest_server
       test_vm_placement test_vm_helpers test_repository test_repository_helpers
-      test_ref test_xapi_helpers test_vm_group
+      test_ref test_xapi_helpers test_vm_group test_vm_rbac
       test_livepatch test_rpm test_updateinfo test_storage_smapiv1_wrapper test_storage_quicktest test_observer
       test_pool_periodic_update_sync test_pkg_mgr test_tar_ext test_pool_repository))
   (libraries
@@ -62,7 +62,8 @@
 (test
   (name suite_alcotest_server)
   (package xapi)
-  (modules suite_alcotest_server test_client test_valid_ref_list test_vm_group)
+  (modules suite_alcotest_server test_client test_valid_ref_list test_vm_group
+           test_vm_rbac)
   (libraries
     alcotest
     xapi_database

ocaml/tests/suite_alcotest_server.ml

@@ -8,4 +8,5 @@ let () =
       ("Test_valid_ref_list", Test_valid_ref_list.test)
     ; ("Test_client", Test_client.test)
     ; ("Test_vm_group", Test_vm_group.test)
+    ; ("Test_vm_rbac", Test_vm_rbac.test)
     ]

ocaml/tests/test_client.ml

@@ -8,7 +8,7 @@
     calls can only succeed if they get forwarded to the local host
     by the message forwarding layer. Forwarding to slaves does not
     work in unit tests. *)
-let make_client_params ~__context =
+let make_client_params_aux ~rbac_permissions ~is_local_superuser ~__context =
   let req = Xmlrpc_client.xmlrpc ~version:"1.1" "/" in
   let rpc = Api_server.Server.dispatch_call req None in
   let session_id =
@@ -17,13 +17,18 @@ let make_client_params ~__context =
     let (_ : _ API.Ref.t) =
       Test_common.make_session ~__context ~ref:session_id
         ~this_host:(Helpers.get_localhost ~__context)
-        ~last_active:now ~is_local_superuser:true ~validation_time:now
-        ~auth_user_name:"root" ~originator:"test" ()
+        ~rbac_permissions ~last_active:now ~is_local_superuser
+        ~validation_time:now ~auth_user_name:"root" ~originator:"test" ()
     in
     session_id
   in
   (rpc, session_id)
 
+let make_role_client_params = make_client_params_aux
+
+let make_client_params =
+  make_client_params_aux ~is_local_superuser:true ~rbac_permissions:[]
+
 let setup_test () =
   Xapi.register_callback_fns () ;
   let __context = Test_common.make_test_database () in

ocaml/tests/test_vm_rbac.ml

@@ -0,0 +1,81 @@
+module T = Test_common
+
+let setup () =
+  let __context = T.make_test_database () in
+  let vm = T.make_vm ~__context () in
+  let rpc, session_id =
+    Test_client.make_role_client_params ~__context ~is_local_superuser:false
+      ~rbac_permissions:["vm-admin"]
+  in
+  (rpc, session_id, vm)
+
+let check_rbac ?(roles = "vm-power-admin, vm-admin, pool-admin, pool-operator")
+    s x =
+  Alcotest.check_raises "should fail"
+    (Api_errors.Server_error
+       ( Api_errors.rbac_permission_denied
+       , [
+           s
+         ; Printf.sprintf
+             "No permission in user session. (Roles with this permission: %s)"
+             roles
+         ]
+       )
+    )
+    x
+
+let test_add_other_config_rbac_check () =
+  let rpc, session_id, vm = setup () in
+  check_rbac ~roles:"pool-admin" "vm.add_to_other_config/key:pci" (fun () ->
+      Client.Client.VM.add_to_other_config ~rpc ~session_id ~self:vm ~key:"pci"
+        ~value:"test"
+  )
+
+let test_set_other_config_rbac_check () =
+  let __context = T.make_test_database () in
+  let vm = T.make_vm ~__context () in
+  let rpc, session_id =
+    Test_client.make_role_client_params ~__context ~is_local_superuser:false
+      ~rbac_permissions:["vm-admin"]
+  in
+  let root_rpc, root_session_id = Test_client.make_client_params ~__context in
+  check_rbac ~roles:"pool-admin" "vm.add_to_other_config/key:pci" (fun () ->
+      Client.Client.VM.add_to_other_config ~rpc ~session_id ~self:vm ~key:"pci"
+        ~value:"test"
+  ) ;
+  check_rbac "vm.set_other_config" (fun () ->
+      Client.Client.VM.set_other_config ~rpc ~session_id ~self:vm
+        ~value:[("pci", "test")]
+  ) ;
+  Client.Client.VM.set_other_config ~rpc:root_rpc ~session_id:root_session_id
+    ~self:vm
+    ~value:[("pci", "test")] ;
+  Client.Client.VM.remove_from_other_config ~rpc:root_rpc
+    ~session_id:root_session_id ~self:vm ~key:"pci" ;
+  Client.Client.VM.add_to_other_config ~rpc:root_rpc ~session_id:root_session_id
+    ~self:vm ~key:"pci" ~value:"test2" ;
+  check_rbac ~roles:"pool-admin" "vm.remove_from_other_config/key:pci"
+    (fun () ->
+      Client.Client.VM.remove_from_other_config ~rpc ~session_id ~self:vm
+        ~key:"pci"
+  ) ;
+  check_rbac ~roles:"pool-admin" "vm.add_to_other_config/key:pci" (fun () ->
+      Client.Client.VM.add_to_other_config ~rpc ~session_id ~self:vm ~key:"pci"
+        ~value:"test"
+  ) ;
+  check_rbac "vm.set_other_config" (fun () ->
+      Client.Client.VM.set_other_config ~rpc ~session_id ~self:vm
+        ~value:[("pci", "test")]
+  )
+
+let test =
+  [
+    ( "test_add_other_config_rbac_check"
+    , `Quick
+    , test_add_other_config_rbac_check
+    )
+  ; ( "test_set_other_config_rbac_check"
+    , `Quick
+    , test_set_other_config_rbac_check
+    )
+  ]