216 Commits

Author SHA1 Message Date
Juan Antonio Osorio Robles
7d1a8e4a93 Deprecate Dogtag subca tests
Change-Id: I815fa1bd001329599523004ced6c8b74d0d520d2
2017-02-02 16:23:34 -05:00
Nam Nguyen Hoai
4ff005abf6 Clean imports in code
This patch set modifies lines which are importing objects
instead of modules. As per openstack import guide lines,
user should import modules in a file not objects.

http://docs.openstack.org/developer/hacking/#imports

Change-Id: Iec8caf72cbaa4f245e38aa7d68632783842a34be
2017-01-25 09:41:12 +07:00
Jenkins
ea725053c0 Merge "Pass secret_type to repository query" 2016-12-08 20:59:32 +00:00
Kaitlin Farr
fba4607f6e Pass secret_type to repository query
In the secrets controller, the list functionality had a "secret_type"
argument, but wasn't being used in the actual query to the secrets repo.
This fixes the issue and adds functional tests to ensure the filter
queries are working correctly.

Change-Id: Ifa42f5e817908973dd8b927e4744cdc754a4b027
2016-11-21 12:24:07 -05:00
Jeremy Liu
9ef8efbc92 Fix hacking check error
This patch includes changes:

  1. use more specified 'assert' check
  2. remove use of str() on an exception
  3. use a dict comprehension instead of a dict constructor

Change-Id: I24fbf16d0bcbe5ca9780770212b511f49927303d
2016-11-18 11:29:53 +08:00
Gábor Antal
06fc1cd523 Replaced assertion with more specific
Change-Id: Ia08d26ee980e5933ffa6b4ae5c4d8d29c9c498eb
2016-10-27 09:53:52 +02:00
Jiong Liu
403e440f85 Fix order of arguments in assertEqual
The correct order expected by testtools is assertEqual(expected, observed).

Change-Id: I93eaab96f170e72cfcbc763f384fd9358842ef69
Partial-Bug: #1259292
2016-09-29 13:21:33 +00:00
Jenkins
d29569882f Merge "Clean imports in code" 2016-09-15 23:49:50 +00:00
Arun Kant
845b3d045b Adding functional tests for multiple backend changes (Part 5)
Change-Id: Iaf02d446a178baaa3e61d6a7267717822bd957f8
Partially-Implements: blueprint multiple-secret-backend
2016-09-14 10:18:37 -07:00
Jenkins
14ae36d3e5 Merge "Remove consumer check for project_id to match containers" 2016-09-13 17:52:42 +00:00
Jenkins
f519c4afb1 Merge "Fix test suite cleanup" 2016-09-13 03:53:33 +00:00
Pan
38ecf5b51f Remove consumer check for project_id to match containers
I believe this is the correct behavior, as it would match how
containers handles these operations. This change facilitates
the LBaaS Barbican TLS workflow (which should be the same as
what other services will use in the future too).

The RBAC settings for consumer POST should be set to
use the same ACL rules as container GET (plus admin).

The RBAC settings for consumer DELETE should be:
 * Any user with Delete permissions on the Container
 * Any user that both: has ACL Read access to the Container; is a member
   of the project that created the Consumer being deleted

Change-Id: Ie84784573893934c2887814a200e7386314b4f18
Closes-Bug: #1519170
2016-09-03 11:59:39 -04:00
Béla Vancsics
986824123b Use more specific asserts in tests
Instead of assertTrue and assertFalse use more specific asserts.
They are compatible with Python 2.7[1] and 3.4[2]

[1]: https://docs.python.org/2.7/library/unittest.html
[2]: https://docs.python.org/3.4/library/unittest.html

Change-Id: I75263c1cf81c8dfc98f055331c9323e7bbb13707
2016-08-25 10:37:52 +02:00
liujiong
14df7412d2 Fix test suite cleanup
Some test suites did not cleanup all created objects

Change-Id: I4237d92817267e07fc9f56c4f3cff1ace6a1978b
2016-08-19 09:34:22 +08:00
Nguyen Hung Phuong
b6f2257118 Clean imports in code
In some part in the code we import objects.
In the Openstack style guidelines they recommend to import only modules.

http://docs.openstack.org/developer/hacking/#imports

Change-Id: Ibd3464b52fd70bbfe77ce35cdffbbef95de24b12
2016-08-18 11:52:58 +07:00
Arun Kant
ce6336f393 User with creator role can delete his/her own secret and container
Modified policy and tests to verify this change.

As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.

There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.

Updated role docs to reflect this behavior.

Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
2016-07-25 13:42:01 -07:00
liujiong
8bef6b47a5 Change SecretAcceptNotSupportedException from exception.BarbicanException to exception.BarbicanHTTPException
When retrieving secret's payload without providing payload_content_type,
if the payload_content_type is not default as "text/plain", we get 500 error.
Since this is generated by invalid input, we should mark this as 406 error.

Closes-bug: #1590097
Change-Id: I9ca94b7c66995991a9b0df37a46bd082e9795b74
2016-06-14 14:32:27 +08:00
Thomas Dinkjian
813818b972 Fixed test suite cleanup
Test suite was not cleaning up all created objects.

Change-Id: Id779e8cebc71ff179468ece3e189dcc4f4a16eef
2016-05-13 09:52:06 -05:00
Jenkins
f9f8d3be56 Merge "Fix skip message for dogtag plugins" 2016-04-22 16:14:57 +00:00
Arun Kant
19f69ccee2 Adding support for barbican host href to be derived from wsgi request
Currently barbican provides hostname part of hrefs returned in response
based on host_href value defined in barbican.conf.

This approach would not work if barbican API needs to be accessed via
public or internal endpoint as they can be different endpoints in
control planes. The endpoint used by client depends on which network client
is making the API request. For same reasons, keystone also allows different
endpoint for a service to expose as public or internal interface in service
catalog.

To allow that kind of deployment model for barbican service, now enhancing
its logic to derive this hostname (http_scheme+host+port) information from
wsgi requests when host_href value is not set in barbican.conf. So deployment
requiring this behavior can leave host_href blank in their barbican.conf. The
host_href needs to be set empty as not setting it results in default.

Generally in this kind of deployment, proxy (e.g. haproxy) will set
appropriate host, http scheme header. Request url received at barbican side
will have the client IP address and scheme inserted directly inside it.
Reference: https://en.wikipedia.org/wiki/X-Forwarded-For

Updated existing 'change host header' related functional test to skip when
host_href is not set in barbican server side. Added new functional tests when
hrefs are derived from wsgi request. New tests are skipped when host_href is
set at server side.

Added a flag in barbican-functional.conf to indicate barbican server setting
Default is to use CONF.host_href value. Explicit flag is added as functional
test setup may not always have barbican server conf available locally.

Change-Id: Idb8e62867f6cbd457eb64ea31500e93e74d247ea
Closes-Bug: 1541118
2016-04-13 09:33:56 -07:00
Kaitlin Farr
950c610b7a Fix skip message for dogtag plugins
One of the messages for a skipped test was "The following plugin(s)
need to be enabled:" and would not list any further info. This fixes
the minor formatting issue.

Change-Id: If946d69646a25bfe3df801b986032dd8bc67c0e1
2016-04-12 16:00:54 -04:00
Kaitlin Farr
d590380e20 Add skips for KMIP functional tests
In preparation for adding a KMIP gate, adds the ability to skip functional
tests that are not compatible with a KMIP device. Some tests are skipped
because invalid algorithms or bit lengths are passed to the device. Other
tests are skipped because the tested feature doesn't exist for the PyKMIP
software server yet.

To enable skipping the non-compatible functional tests for a KMIP back
end, set the environment variable using:
    export KMIP_PLUGIN_ENABLED=1

Co-authored-by: Nathan Reller <nathan.reller@jhuapl.edu>
Change-Id: Id908bf57233af84bff56d90c75d175b04ccd4373
2016-04-08 15:51:35 -04:00
Jenkins
d427a17491 Merge "Return 404 when a secret does not have a payload" 2016-04-04 21:47:26 +00:00
Jenkins
e90da9d7d9 Merge "Update project quota paging tests to run with existing project quotas" 2016-04-01 14:47:17 +00:00
Fernando Diaz
d9b5ac8295 Return 404 when a secret does not have a payload
Currently when a Secret payload GET is performed, a 500 Error will
be thrown if there is no payload present. The correct behavior
would be to throw a 404.

Change-Id: Ibbe8a592c853fc0196ae7c2daf365754c800fc87
Partial-Bug: #1561701
2016-03-30 20:53:04 +00:00
Freddy Pedraza
05773402b7 Update project quota paging tests to run with existing project quotas
This CR updates the tests to check for existing project quotas
and uses that count when validating the project quota paging tests.

Change-Id: Ic9e58207207396239280f29b6874fb503fd5195b
2016-03-28 13:35:30 -05:00
Jenkins
d6a606d410 Merge "Add cleanup capability for secrets and containers" 2016-03-23 16:56:46 +00:00
Steve Heyman
2b10863514 Ensure that smoke tests cleanup their containers
Added missing container cleanup to smoke tests.

Change-Id: I16667de00c493160de5dc145ac7dea0af1899a5e
2016-03-21 13:19:58 -05:00
Steve Heyman
295dba14d2 Add cleanup capability for secrets and containers
Created cleanup functions for secrets and containers.  They can be
run just like a single testcase but they aren't included when you
run the functional test suite.

The serets cleanup is run using:

    nosetests functionaltests/api/v1/functional/test_secrets.py:SecretsTestCase._cleanup_all_secrets

The containers cleanup is run using:

    nosetests functionaltests/api/v1/functional/test_containers.py:ContainersTestCase._cleanup_all_containers

The cleanup code will walk through the list of functional test users
(ie the users specified in the barbican-functional.conf) and delete
all secrets and containers for those users.

You can use this in your own CI/CD process to ensure that a functional
test run always starts zero secrets/containers for the functional
test users.

Change-Id: I949f78729ea7b9a228676a23a2ebc11826e3baf8
2016-03-21 13:07:38 -05:00
Steve Heyman
657a54167d Cleanup containers after functional tests run
Added missing cleanup to containers and consumers tests to
delete any created containers.

Change-Id: I35510aeaf5c64479cd030ef0226d34a231ae6717
2016-03-19 10:38:50 -05:00
Jenkins
967d8a143b Merge "User Metadata API and tests" 2016-03-03 21:24:45 +00:00
Jenkins
598d3b89a0 Merge "Adding check on Offset" 2016-03-03 06:34:19 +00:00
Fernando Diaz
ba3b7093ac User Metadata API and tests
This patch adds the api functions for user metadata and tests for
those functions. It is the second of several patches which will
complete the "User Defined Metadata for Barbican Secrets" blueprint.

Other Patches will include:
1.) Documentation

Implements: blueprint add-user-metadata
Change-Id: Iaf83bf5a3b9ed2ea22d4cd3e83ba3a0d5d087adf
2016-03-02 21:44:28 +00:00
Fernando Diaz
52b0479fcc Introduce User-Meta table, model, and repo
This patch introduces the user-meta database table, model, and
repository. It is the first of several patches which will complete
the "User Defined Metadata for Barbican Secrets" Blueprint.

Other Patches will include:
1. ) API and Tests(Unit and Functional)
2. ) Documentation
3. ) Client Upgrades

Implements: blueprint add-user-metadata
Change-Id: I4b6ae9e7090eb66fe8c89e62116d9a8483642a29
2016-03-01 21:59:20 +00:00
Steve Heyman
1532f61b52 Fix http 500 when getting secret payload with no Acccept header
Functional tests had default values for Accept header which were
masking a bug when you try to GET a secret with /payload and don't
pass in an accept header.

Fixed this and also updated the functional test client to allow
tests to specify headers to be omitted on a test-by-test basis.

Change-Id: Ia67d37571ca3d561cdcc67ce3c4fb896def35a24
2016-02-21 20:48:46 -06:00
Priti Desai
772221a7a8 Adding check on Offset
When a large offset is specified in GET API, causes
failure with 500 error. Adding check if offset is
greater than sys.maxsize, set offset to 0 instead of
failing with 500. Setting offset to 0, returns the
number of records (as specified by limit) ordered by
created_date.

Comparing offset with the sys.maxsize which is
compatible of all the different python versions available.

Closes-bug: #1481012

Change-Id: I70a59e0edb9378271e62b6759dfb02c8c0110ac0
2016-01-20 12:55:13 -08:00
Jenkins
8b9d581d11 Merge "Added ACL tests" 2015-12-10 16:31:04 +00:00
Thomas Dinkjian
1818ab7a90 Added ACL tests
Added tests to show the impact of ACL's on container consumers.
Added several edge case ACL tests to verify ACLs do not
override RBAC

Change-Id: Ia503a7abf32640260babb693c94c051e478f7b65
2015-12-07 14:27:45 -06:00
Steve Heyman
2541181809 Added container consumer end to end flow testcase
Also refactored the consumer tests to support auth and
unauth tests, as well as certificate container consumers.

Change-Id: I6df0b1c74de37b0b9d4123b4391f11dacdf6b417
2015-12-01 15:20:23 -06:00
Steve Heyman
546003b03c Fix spelling of HATEOAS
We've misspelled HATEOAS in several places.  This CR fixes those
misspellings.

Change-Id: I2daa92e8b6ba3a978bea47d81090e72918458634
2015-10-17 12:08:20 -05:00
Jenkins
d0a4e3bc7a Merge "Python 3 Refactoring: Replace six.iteritems() with the preferred items()" 2015-10-09 06:02:57 +00:00
Dave McCowan
8bbf06caae Enforce project ownership of subCAs
The add-to-project and create CA commands can only be performed by
a project administrator when the target CA is either a root CA
or a subCA owned by the admin's project.

This CR adds checks to enforce this condition.

Change-Id: Ifbd7bb471b137a5549a8e627344f8f02adda2ed1
Closes-bug: #1501862
2015-10-01 15:53:40 -04:00
Dave McCowan
4afaee095a Check a CA's status as project and preferred CA before deleting
If a CA is preferred and not the last CA of a project, it should
not be deleted.  A user is informed of this with a 409 status code.

Otherwise, the CA can be deleted as well as any record of it in the
CA project list and the CA preferred list.

Change-Id: I9a1ee91252ee17746cfcffd11cba520270d09f21
Closes-bug: #1499876
2015-10-01 11:52:53 -04:00
Dave McCowan
11cb5629f6 Python 3 Refactoring: Replace six.iteritems() with the preferred items()
With Python3, the iteritems() method has been removed from dictionarys.
This leaves us with two options:
   1) replace with six.iteritems(dictionary)
   2) replace with dictionary.items()

The OpenStack Python 3 coders have documented their preference,
and we should follow it. Their preference is dictionary.items()

Change-Id: I2e27819404ae071bd21bfe4555e50dc8df9c65aa
Partially-Implements: blueprint barbican-py3
2015-10-01 08:17:32 -04:00
Ade Lee
be40fa7d03 Add subca functionality to the dogtag plugin
The Dogtag CA plugin has been modified to support
subordinate CAs.  This includes updating the list of
CAs read from the CA when the the ca list is refreshed.

Unit tests for the Dogtag CA have been updated, and functional
tests have been added for the Dogtag CA for subca creation.

Also added some exceptions to convey issues in subca creation
and deletion.

Partially-Implements: blueprint add-cas
Change-Id: I1766cb4a2069ea56d386067c9aa2811a50410a9d
2015-09-30 17:21:14 -04:00
Dave McCowan
5c67eabd7c Use subCA when specified to sign CSRs
Snakeoil was always using the root CA to sign CSRs.  With this
commit it will use the CA whose reference was passed.

Change-Id: I6afee4414aa4d2878f619f0f3650361a7b1d6ea8
Closes-Bug: 1499874
Partially-implements: blueprint add-cas
2015-09-25 17:52:09 -04:00
Jenkins
b9d21ee4f2 Merge "Add check to validators that SubCA's project id matches order's project id" 2015-09-24 12:10:01 +00:00
Dave McCowan
6e782931db Add check to validators that SubCA's project id matches order's project id
A subCA is owned by a project and should only be used by a user with
a role in that project.  This change adds a check that forces a 403
error indicating authorization issues if a user from a different
project posts and order referencing a subCA.

Change-Id: Ia34c4b0d48f605c491b9604099e8715cb9eff316
Closes-bug: #1498289
Partially-implements: blueprint add-cas
2015-09-23 20:13:38 -04:00
Jenkins
9f99ec28d1 Merge "Change behavior of GET cas/preferred" 2015-09-22 20:03:02 +00:00
Jenkins
82ed6f3141 Merge "Changes to Preferred CA Features" 2015-09-22 18:53:11 +00:00