Update roles required for testing

This patch removes the hard-coded 'key-manager:service-admin' role from the base test class because the role is not available in deployments with the new Secure RBAC policies enabled. There is only one test that still requires this role in the API quotas tests, so we generate a dynamic user there and only use it in this class. This test is skipped when SRBAC is enabled. Change-Id: I6fbfe43f821d9315e01d3bdfd6f5d4edf4e552b7
2024-02-19 14:07:59 -06:00 · 2024-02-19 14:07:59 -06:00 · 26928121dd
commit 26928121dd
parent 3c70e93c06
3 changed files with 30 additions and 36 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -42,7 +42,7 @@
        test-config:
          $TEMPEST_CONFIG:
            auth:
-              tempest_roles: creator
+              create_isolated_networks: False
            image-feature-enabled:
              # this may be removed soon, as api_v1 is false since tempest>=20
              api_v1: False
@ -159,21 +159,20 @@
    name: barbican-tempest-plugin-simple-crypto-secure-rbac
    parent: barbican-tempest-plugin-simple-crypto
    vars:
+      devstack_localrc:
+        ENFORCE_SCOPE: True
      devstack_local_conf:
-        post-config:
-          $BARBICAN_CONF:
-            oslo_policy:
-              enforce_new_defaults: True
-              enforce_scope: True
-            # (lpiwowar): Uncomment once this bug is resolved:
-            # https://bugs.launchpad.net/barbican/+bug/2043457
-            # secretstore:
-            #  enable_multiple_secret_stores: True
-            #  stores_lookup_suffix: simple_crypto
-            # secretstore:simple_crypto:
-            #  secret_store_plugin: store_crypto
-            #  crypto_plugin: simple_crypto
-            #  global_default: true
+        # (lpiwowar): Uncomment once this bug is resolved:
+        # https://bugs.launchpad.net/barbican/+bug/2043457
+        # post-config:
+        #   $BARBICAN_CONF:
+        #     secretstore:
+        #      enable_multiple_secret_stores: True
+        #      stores_lookup_suffix: simple_crypto
+        #     secretstore:simple_crypto:
+        #      secret_store_plugin: store_crypto
+        #      crypto_plugin: simple_crypto
+        #      global_default: true
        test-config:
          $TEMPEST_CONFIG:
            enforce_scope:
--- a/barbican_tempest_plugin/tests/api/base.py
+++ b/barbican_tempest_plugin/tests/api/base.py
@ -61,8 +61,7 @@ class BaseKeyManagerTest(test.BaseTestCase,
                         api_version_utils.BaseMicroversionTest):
    """Base class for all api tests."""

-    # Why do I have to be an admin to create secrets? No idea...
-    credentials = ('admin', ['service_admin', 'key-manager:service-admin'])
+    credentials = ['project_admin']
    client_manager = clients.Clients
    created_objects = {}

@ -88,8 +87,6 @@ class BaseKeyManagerTest(test.BaseTestCase,
        cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient()
        cls.secret_metadata_client = os.secret_v1.SecretMetadataClient()
        cls.version_client = os.secret_v1_1.VersionClient()
-
-        os = getattr(cls, 'os_roles_%s' % cls.credentials[1][0])
        cls.quota_client = os.secret_v1.QuotaClient()

    @classmethod
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@ -16,7 +16,7 @@ from barbican_tempest_plugin.tests.api import base

 from tempest import config
 from tempest.lib import decorators
-from tempest.lib import exceptions
+

 CONF = config.CONF

@ -26,26 +26,19 @@ class QuotasTest(base.BaseKeyManagerTest):

    @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
    def test_get_effective_quota(self):
-        if CONF.enforce_scope.barbican:
-            # This test is using key-manager:service-admin legacy
-            # role. User with only this role should get a Forbidden
-            # error when trying to get effective quotas in SRBAC
-            # environment.
-            self.assertRaises(
-                exceptions.Forbidden,
-                self.quota_client.get_default_project_quota)
-        else:
-            body = self.quota_client.get_default_project_quota()
-            quotas = body.get('quotas')
-            self.assertEqual(-1, quotas.get('secrets'))
-            self.assertEqual(-1, quotas.get('cas'))
-            self.assertEqual(-1, quotas.get('orders'))
-            self.assertEqual(-1, quotas.get('containers'))
-            self.assertEqual(-1, quotas.get('consumers'))
+        body = self.quota_client.get_default_project_quota()
+        quotas = body.get('quotas')
+        self.assertEqual(-1, quotas.get('secrets'))
+        self.assertEqual(-1, quotas.get('cas'))
+        self.assertEqual(-1, quotas.get('orders'))
+        self.assertEqual(-1, quotas.get('containers'))
+        self.assertEqual(-1, quotas.get('consumers'))


 class ProjectQuotasTest(base.BaseKeyManagerTest):

+    credentials = ['admin', ['service_admin', 'key-manager:service-admin']]
+
    @classmethod
    def skip_checks(cls):
        super().skip_checks()
@ -56,6 +49,11 @@ class ProjectQuotasTest(base.BaseKeyManagerTest):
            raise cls.skipException("enforce_scope is enabled for barbican, "
                                    "skipping project quota tests.")

+    @classmethod
+    def setup_clients(cls):
+        super().setup_clients()
+        cls.quota_client = cls.os_roles_service_admin.secret_v1.QuotaClient()
+
    @decorators.idempotent_id('07dec492-7f19-4d94-a9d7-28c0643db1bc')
    def test_manage_project_quotas(self):
        # Confirm that there are no quotas