diff --git a/.zuul.yaml b/.zuul.yaml index 20f9f31..1f543fc 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -137,8 +137,6 @@ global_default: true test-config: $TEMPEST_CONFIG: - auth: - tempest_roles: member barbican_rbac_scope_verification: enforce_scope: True barbican_tempest: diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py index 2546249..7840406 100644 --- a/barbican_tempest_plugin/tests/api/test_quotas.py +++ b/barbican_tempest_plugin/tests/api/test_quotas.py @@ -16,6 +16,7 @@ from barbican_tempest_plugin.tests.api import base from tempest import config from tempest.lib import decorators +from tempest.lib import exceptions CONF = config.CONF @@ -25,14 +26,22 @@ class QuotasTest(base.BaseKeyManagerTest): @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f') def test_get_effective_quota(self): - # Verify the default quota settings - body = self.quota_client.get_default_project_quota() - quotas = body.get('quotas') - self.assertEqual(-1, quotas.get('secrets')) - self.assertEqual(-1, quotas.get('cas')) - self.assertEqual(-1, quotas.get('orders')) - self.assertEqual(-1, quotas.get('containers')) - self.assertEqual(-1, quotas.get('consumers')) + if CONF.barbican_rbac_scope_verification.enforce_scope: + # This test is using key-manager:service-admin legacy + # role. User with only this role should get a Forbidden + # error when trying to get effective quotas in SRBAC + # environment. + self.assertRaises( + exceptions.Forbidden, + self.quota_client.get_default_project_quota) + else: + body = self.quota_client.get_default_project_quota() + quotas = body.get('quotas') + self.assertEqual(-1, quotas.get('secrets')) + self.assertEqual(-1, quotas.get('cas')) + self.assertEqual(-1, quotas.get('orders')) + self.assertEqual(-1, quotas.get('containers')) + self.assertEqual(-1, quotas.get('consumers')) class ProjectQuotasTest(base.BaseKeyManagerTest):