From 832692c4fb76dc6d0da903d1d7dd515bb7f669e0 Mon Sep 17 00:00:00 2001
From: Lukas Piwowarski <lpiwowar@redhat.com>
Date: Thu, 1 Jun 2023 09:12:48 +0000
Subject: [PATCH] Modify test_get_effective_quota test

The test_get_effective_quotas test uses key-manager:service-admin
legacy role to get the effective quotas. Using a user with only this
role should lead to an ERROR in an SRBAC environment.

This patch changes the test so that it checks whether the ERROR
occurred when the test tried to get quotas in SRBAC environment.

Also, auth.tempest_roles = member was removed from tempest.conf
as it is not necessary and causes a failure of the modified
test and it might cause unwanted problems in the future.

Change-Id: Ib106f5e760d3a5253968e2fe13ec576107a98c74
---
 .zuul.yaml                                    |  2 --
 .../tests/api/test_quotas.py                  | 25 +++++++++++++------
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/.zuul.yaml b/.zuul.yaml
index d60cc74..84f163d 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -130,8 +130,6 @@
               enforce_scope: True
         test-config:
           $TEMPEST_CONFIG:
-            auth:
-              tempest_roles: member
             barbican_rbac_scope_verification:
               enforce_scope: True
 
diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py
index 2546249..7840406 100644
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@@ -16,6 +16,7 @@ from barbican_tempest_plugin.tests.api import base
 
 from tempest import config
 from tempest.lib import decorators
+from tempest.lib import exceptions
 
 CONF = config.CONF
 
@@ -25,14 +26,22 @@ class QuotasTest(base.BaseKeyManagerTest):
 
     @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
     def test_get_effective_quota(self):
-        # Verify the default quota settings
-        body = self.quota_client.get_default_project_quota()
-        quotas = body.get('quotas')
-        self.assertEqual(-1, quotas.get('secrets'))
-        self.assertEqual(-1, quotas.get('cas'))
-        self.assertEqual(-1, quotas.get('orders'))
-        self.assertEqual(-1, quotas.get('containers'))
-        self.assertEqual(-1, quotas.get('consumers'))
+        if CONF.barbican_rbac_scope_verification.enforce_scope:
+            # This test is using key-manager:service-admin legacy
+            # role. User with only this role should get a Forbidden
+            # error when trying to get effective quotas in SRBAC
+            # environment.
+            self.assertRaises(
+                exceptions.Forbidden,
+                self.quota_client.get_default_project_quota)
+        else:
+            body = self.quota_client.get_default_project_quota()
+            quotas = body.get('quotas')
+            self.assertEqual(-1, quotas.get('secrets'))
+            self.assertEqual(-1, quotas.get('cas'))
+            self.assertEqual(-1, quotas.get('orders'))
+            self.assertEqual(-1, quotas.get('containers'))
+            self.assertEqual(-1, quotas.get('consumers'))
 
 
 class ProjectQuotasTest(base.BaseKeyManagerTest):