Merge "Update roles required for testing"

2024-03-08 15:21:11 +00:00 · 2024-03-08 15:21:11 +00:00 · f95155dc76
commit f95155dc76
parent 57968af2c4 26928121dd
3 changed files with 30 additions and 36 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -42,7 +42,7 @@
        test-config:
          $TEMPEST_CONFIG:
            auth:
-              tempest_roles: creator
+              create_isolated_networks: False
            image-feature-enabled:
              # this may be removed soon, as api_v1 is false since tempest>=20
              api_v1: False
@ -159,21 +159,20 @@
    name: barbican-tempest-plugin-simple-crypto-secure-rbac
    parent: barbican-tempest-plugin-simple-crypto
    vars:
+      devstack_localrc:
+        ENFORCE_SCOPE: True
      devstack_local_conf:
-        post-config:
-          $BARBICAN_CONF:
-            oslo_policy:
-              enforce_new_defaults: True
-              enforce_scope: True
-            # (lpiwowar): Uncomment once this bug is resolved:
-            # https://bugs.launchpad.net/barbican/+bug/2043457
-            # secretstore:
-            #  enable_multiple_secret_stores: True
-            #  stores_lookup_suffix: simple_crypto
-            # secretstore:simple_crypto:
-            #  secret_store_plugin: store_crypto
-            #  crypto_plugin: simple_crypto
-            #  global_default: true
+        # (lpiwowar): Uncomment once this bug is resolved:
+        # https://bugs.launchpad.net/barbican/+bug/2043457
+        # post-config:
+        #   $BARBICAN_CONF:
+        #     secretstore:
+        #      enable_multiple_secret_stores: True
+        #      stores_lookup_suffix: simple_crypto
+        #     secretstore:simple_crypto:
+        #      secret_store_plugin: store_crypto
+        #      crypto_plugin: simple_crypto
+        #      global_default: true
        test-config:
          $TEMPEST_CONFIG:
            enforce_scope:
--- a/barbican_tempest_plugin/tests/api/base.py
+++ b/barbican_tempest_plugin/tests/api/base.py
@ -61,8 +61,7 @@ class BaseKeyManagerTest(test.BaseTestCase,
                         api_version_utils.BaseMicroversionTest):
    """Base class for all api tests."""

-    # Why do I have to be an admin to create secrets? No idea...
-    credentials = ('admin', ['service_admin', 'key-manager:service-admin'])
+    credentials = ['project_admin']
    client_manager = clients.Clients
    created_objects = {}

@ -88,8 +87,6 @@ class BaseKeyManagerTest(test.BaseTestCase,
        cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient()
        cls.secret_metadata_client = os.secret_v1.SecretMetadataClient()
        cls.version_client = os.secret_v1_1.VersionClient()
-
-        os = getattr(cls, 'os_roles_%s' % cls.credentials[1][0])
        cls.quota_client = os.secret_v1.QuotaClient()

    @classmethod
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@ -16,7 +16,7 @@ from barbican_tempest_plugin.tests.api import base

 from tempest import config
 from tempest.lib import decorators
-from tempest.lib import exceptions
+

 CONF = config.CONF

@ -26,26 +26,19 @@ class QuotasTest(base.BaseKeyManagerTest):

    @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
    def test_get_effective_quota(self):
-        if CONF.enforce_scope.barbican:
-            # This test is using key-manager:service-admin legacy
-            # role. User with only this role should get a Forbidden
-            # error when trying to get effective quotas in SRBAC
-            # environment.
-            self.assertRaises(
-                exceptions.Forbidden,
-                self.quota_client.get_default_project_quota)
-        else:
-            body = self.quota_client.get_default_project_quota()
-            quotas = body.get('quotas')
-            self.assertEqual(-1, quotas.get('secrets'))
-            self.assertEqual(-1, quotas.get('cas'))
-            self.assertEqual(-1, quotas.get('orders'))
-            self.assertEqual(-1, quotas.get('containers'))
-            self.assertEqual(-1, quotas.get('consumers'))
+        body = self.quota_client.get_default_project_quota()
+        quotas = body.get('quotas')
+        self.assertEqual(-1, quotas.get('secrets'))
+        self.assertEqual(-1, quotas.get('cas'))
+        self.assertEqual(-1, quotas.get('orders'))
+        self.assertEqual(-1, quotas.get('containers'))
+        self.assertEqual(-1, quotas.get('consumers'))


 class ProjectQuotasTest(base.BaseKeyManagerTest):

+    credentials = ['admin', ['service_admin', 'key-manager:service-admin']]
+
    @classmethod
    def skip_checks(cls):
        super().skip_checks()
@ -56,6 +49,11 @@ class ProjectQuotasTest(base.BaseKeyManagerTest):
            raise cls.skipException("enforce_scope is enabled for barbican, "
                                    "skipping project quota tests.")

+    @classmethod
+    def setup_clients(cls):
+        super().setup_clients()
+        cls.quota_client = cls.os_roles_service_admin.secret_v1.QuotaClient()
+
    @decorators.idempotent_id('07dec492-7f19-4d94-a9d7-28c0643db1bc')
    def test_manage_project_quotas(self):
        # Confirm that there are no quotas