From 26928121dd76740c7e5832fe52d16917fab9c866 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Mon, 19 Feb 2024 14:07:59 -0600 Subject: [PATCH] Update roles required for testing This patch removes the hard-coded 'key-manager:service-admin' role from the base test class because the role is not available in deployments with the new Secure RBAC policies enabled. There is only one test that still requires this role in the API quotas tests, so we generate a dynamic user there and only use it in this class. This test is skipped when SRBAC is enabled. Change-Id: I6fbfe43f821d9315e01d3bdfd6f5d4edf4e552b7 --- .zuul.yaml | 29 ++++++++--------- barbican_tempest_plugin/tests/api/base.py | 5 +-- .../tests/api/test_quotas.py | 32 +++++++++---------- 3 files changed, 30 insertions(+), 36 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index da61788..01a1c16 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -42,7 +42,7 @@ test-config: $TEMPEST_CONFIG: auth: - tempest_roles: creator + create_isolated_networks: False image-feature-enabled: # this may be removed soon, as api_v1 is false since tempest>=20 api_v1: False @@ -159,21 +159,20 @@ name: barbican-tempest-plugin-simple-crypto-secure-rbac parent: barbican-tempest-plugin-simple-crypto vars: + devstack_localrc: + ENFORCE_SCOPE: True devstack_local_conf: - post-config: - $BARBICAN_CONF: - oslo_policy: - enforce_new_defaults: True - enforce_scope: True - # (lpiwowar): Uncomment once this bug is resolved: - # https://bugs.launchpad.net/barbican/+bug/2043457 - # secretstore: - # enable_multiple_secret_stores: True - # stores_lookup_suffix: simple_crypto - # secretstore:simple_crypto: - # secret_store_plugin: store_crypto - # crypto_plugin: simple_crypto - # global_default: true + # (lpiwowar): Uncomment once this bug is resolved: + # https://bugs.launchpad.net/barbican/+bug/2043457 + # post-config: + # $BARBICAN_CONF: + # secretstore: + # enable_multiple_secret_stores: True + # stores_lookup_suffix: simple_crypto + # secretstore:simple_crypto: + # secret_store_plugin: store_crypto + # crypto_plugin: simple_crypto + # global_default: true test-config: $TEMPEST_CONFIG: enforce_scope: diff --git a/barbican_tempest_plugin/tests/api/base.py b/barbican_tempest_plugin/tests/api/base.py index aa500f7..50ae662 100644 --- a/barbican_tempest_plugin/tests/api/base.py +++ b/barbican_tempest_plugin/tests/api/base.py @@ -61,8 +61,7 @@ class BaseKeyManagerTest(test.BaseTestCase, api_version_utils.BaseMicroversionTest): """Base class for all api tests.""" - # Why do I have to be an admin to create secrets? No idea... - credentials = ('admin', ['service_admin', 'key-manager:service-admin']) + credentials = ['project_admin'] client_manager = clients.Clients created_objects = {} @@ -88,8 +87,6 @@ class BaseKeyManagerTest(test.BaseTestCase, cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient() cls.secret_metadata_client = os.secret_v1.SecretMetadataClient() cls.version_client = os.secret_v1_1.VersionClient() - - os = getattr(cls, 'os_roles_%s' % cls.credentials[1][0]) cls.quota_client = os.secret_v1.QuotaClient() @classmethod diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py index f2e00c1..e9cc39a 100644 --- a/barbican_tempest_plugin/tests/api/test_quotas.py +++ b/barbican_tempest_plugin/tests/api/test_quotas.py @@ -16,7 +16,7 @@ from barbican_tempest_plugin.tests.api import base from tempest import config from tempest.lib import decorators -from tempest.lib import exceptions + CONF = config.CONF @@ -26,26 +26,19 @@ class QuotasTest(base.BaseKeyManagerTest): @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f') def test_get_effective_quota(self): - if CONF.enforce_scope.barbican: - # This test is using key-manager:service-admin legacy - # role. User with only this role should get a Forbidden - # error when trying to get effective quotas in SRBAC - # environment. - self.assertRaises( - exceptions.Forbidden, - self.quota_client.get_default_project_quota) - else: - body = self.quota_client.get_default_project_quota() - quotas = body.get('quotas') - self.assertEqual(-1, quotas.get('secrets')) - self.assertEqual(-1, quotas.get('cas')) - self.assertEqual(-1, quotas.get('orders')) - self.assertEqual(-1, quotas.get('containers')) - self.assertEqual(-1, quotas.get('consumers')) + body = self.quota_client.get_default_project_quota() + quotas = body.get('quotas') + self.assertEqual(-1, quotas.get('secrets')) + self.assertEqual(-1, quotas.get('cas')) + self.assertEqual(-1, quotas.get('orders')) + self.assertEqual(-1, quotas.get('containers')) + self.assertEqual(-1, quotas.get('consumers')) class ProjectQuotasTest(base.BaseKeyManagerTest): + credentials = ['admin', ['service_admin', 'key-manager:service-admin']] + @classmethod def skip_checks(cls): super().skip_checks() @@ -56,6 +49,11 @@ class ProjectQuotasTest(base.BaseKeyManagerTest): raise cls.skipException("enforce_scope is enabled for barbican, " "skipping project quota tests.") + @classmethod + def setup_clients(cls): + super().setup_clients() + cls.quota_client = cls.os_roles_service_admin.secret_v1.QuotaClient() + @decorators.idempotent_id('07dec492-7f19-4d94-a9d7-28c0643db1bc') def test_manage_project_quotas(self): # Confirm that there are no quotas