Merge "Update roles required for testing"

This commit is contained in:
Zuul 2024-03-08 15:21:11 +00:00 committed by Gerrit Code Review
commit f95155dc76
3 changed files with 30 additions and 36 deletions

View File

@ -42,7 +42,7 @@
test-config: test-config:
$TEMPEST_CONFIG: $TEMPEST_CONFIG:
auth: auth:
tempest_roles: creator create_isolated_networks: False
image-feature-enabled: image-feature-enabled:
# this may be removed soon, as api_v1 is false since tempest>=20 # this may be removed soon, as api_v1 is false since tempest>=20
api_v1: False api_v1: False
@ -159,21 +159,20 @@
name: barbican-tempest-plugin-simple-crypto-secure-rbac name: barbican-tempest-plugin-simple-crypto-secure-rbac
parent: barbican-tempest-plugin-simple-crypto parent: barbican-tempest-plugin-simple-crypto
vars: vars:
devstack_localrc:
ENFORCE_SCOPE: True
devstack_local_conf: devstack_local_conf:
post-config: # (lpiwowar): Uncomment once this bug is resolved:
$BARBICAN_CONF: # https://bugs.launchpad.net/barbican/+bug/2043457
oslo_policy: # post-config:
enforce_new_defaults: True # $BARBICAN_CONF:
enforce_scope: True # secretstore:
# (lpiwowar): Uncomment once this bug is resolved: # enable_multiple_secret_stores: True
# https://bugs.launchpad.net/barbican/+bug/2043457 # stores_lookup_suffix: simple_crypto
# secretstore: # secretstore:simple_crypto:
# enable_multiple_secret_stores: True # secret_store_plugin: store_crypto
# stores_lookup_suffix: simple_crypto # crypto_plugin: simple_crypto
# secretstore:simple_crypto: # global_default: true
# secret_store_plugin: store_crypto
# crypto_plugin: simple_crypto
# global_default: true
test-config: test-config:
$TEMPEST_CONFIG: $TEMPEST_CONFIG:
enforce_scope: enforce_scope:

View File

@ -61,8 +61,7 @@ class BaseKeyManagerTest(test.BaseTestCase,
api_version_utils.BaseMicroversionTest): api_version_utils.BaseMicroversionTest):
"""Base class for all api tests.""" """Base class for all api tests."""
# Why do I have to be an admin to create secrets? No idea... credentials = ['project_admin']
credentials = ('admin', ['service_admin', 'key-manager:service-admin'])
client_manager = clients.Clients client_manager = clients.Clients
created_objects = {} created_objects = {}
@ -88,8 +87,6 @@ class BaseKeyManagerTest(test.BaseTestCase,
cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient() cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient()
cls.secret_metadata_client = os.secret_v1.SecretMetadataClient() cls.secret_metadata_client = os.secret_v1.SecretMetadataClient()
cls.version_client = os.secret_v1_1.VersionClient() cls.version_client = os.secret_v1_1.VersionClient()
os = getattr(cls, 'os_roles_%s' % cls.credentials[1][0])
cls.quota_client = os.secret_v1.QuotaClient() cls.quota_client = os.secret_v1.QuotaClient()
@classmethod @classmethod

View File

@ -16,7 +16,7 @@ from barbican_tempest_plugin.tests.api import base
from tempest import config from tempest import config
from tempest.lib import decorators from tempest.lib import decorators
from tempest.lib import exceptions
CONF = config.CONF CONF = config.CONF
@ -26,26 +26,19 @@ class QuotasTest(base.BaseKeyManagerTest):
@decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f') @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
def test_get_effective_quota(self): def test_get_effective_quota(self):
if CONF.enforce_scope.barbican: body = self.quota_client.get_default_project_quota()
# This test is using key-manager:service-admin legacy quotas = body.get('quotas')
# role. User with only this role should get a Forbidden self.assertEqual(-1, quotas.get('secrets'))
# error when trying to get effective quotas in SRBAC self.assertEqual(-1, quotas.get('cas'))
# environment. self.assertEqual(-1, quotas.get('orders'))
self.assertRaises( self.assertEqual(-1, quotas.get('containers'))
exceptions.Forbidden, self.assertEqual(-1, quotas.get('consumers'))
self.quota_client.get_default_project_quota)
else:
body = self.quota_client.get_default_project_quota()
quotas = body.get('quotas')
self.assertEqual(-1, quotas.get('secrets'))
self.assertEqual(-1, quotas.get('cas'))
self.assertEqual(-1, quotas.get('orders'))
self.assertEqual(-1, quotas.get('containers'))
self.assertEqual(-1, quotas.get('consumers'))
class ProjectQuotasTest(base.BaseKeyManagerTest): class ProjectQuotasTest(base.BaseKeyManagerTest):
credentials = ['admin', ['service_admin', 'key-manager:service-admin']]
@classmethod @classmethod
def skip_checks(cls): def skip_checks(cls):
super().skip_checks() super().skip_checks()
@ -56,6 +49,11 @@ class ProjectQuotasTest(base.BaseKeyManagerTest):
raise cls.skipException("enforce_scope is enabled for barbican, " raise cls.skipException("enforce_scope is enabled for barbican, "
"skipping project quota tests.") "skipping project quota tests.")
@classmethod
def setup_clients(cls):
super().setup_clients()
cls.quota_client = cls.os_roles_service_admin.secret_v1.QuotaClient()
@decorators.idempotent_id('07dec492-7f19-4d94-a9d7-28c0643db1bc') @decorators.idempotent_id('07dec492-7f19-4d94-a9d7-28c0643db1bc')
def test_manage_project_quotas(self): def test_manage_project_quotas(self):
# Confirm that there are no quotas # Confirm that there are no quotas