From e20bc479827ed28322194b64dc460a1938cf279d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
Date: Thu, 2 Sep 2021 20:27:36 +0000
Subject: [PATCH] Enforce scope in RBAC testing

Ensure that the Barbican service is configured to use scoped
tokens when checking RBAC policy.

Depends-On: Id399d2220118efe1033426c658d1834cbff02f94

Change-Id: Id7aa02ea4862242fa34140166d634f30af721c22
---
 .zuul.yaml                                       |  1 +
 barbican_tempest_plugin/tests/api/test_quotas.py | 16 +++++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/.zuul.yaml b/.zuul.yaml
index 753b57b..be73dc7 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -63,6 +63,7 @@
           $BARBICAN_CONF:
             oslo_policy:
               enforce_new_defaults: True
+              enforce_scope: True
         test-config:
           $TEMPEST_CONFIG:
             # FIXME(redrobot): Tempest errors out when you try to create a
diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py
index cde33e3..2546249 100644
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@@ -24,7 +24,7 @@ class QuotasTest(base.BaseKeyManagerTest):
     """Quotas API tests."""
 
     @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
-    def test_create_get_delete_quota(self):
+    def test_get_effective_quota(self):
         # Verify the default quota settings
         body = self.quota_client.get_default_project_quota()
         quotas = body.get('quotas')
@@ -34,6 +34,20 @@ class QuotasTest(base.BaseKeyManagerTest):
         self.assertEqual(-1, quotas.get('containers'))
         self.assertEqual(-1, quotas.get('consumers'))
 
+
+class ProjectQuotasTest(base.BaseKeyManagerTest):
+
+    @classmethod
+    def skip_checks(cls):
+        super().skip_checks()
+        if CONF.barbican_rbac_scope_verification.enforce_scope:
+            # These tests can't be run with the new RBAC rules because
+            # the APIs they're testing require system-scoped credentials
+            # instead of the project-scoped credentials used here.
+            raise cls.skipException("enforce_scope is enabled for barbican, "
+                                    "skipping project quota tests.")
+
+    def test_manage_project_quotas(self):
         # Confirm that there are no quotas
         body = self.quota_client.list_quotas()
         self.assertEqual(0, body.get('total'), body)