44 Commits

Author SHA1 Message Date
Kaitlin Farr
8a057cdd40 Change tempest find_test_caller import
The tempest.lib.common.utils.misc.find_test_caller is
deprecated, replace with tempest.lib.common.utils.
test_utils.find_test_caller.

Closes-Bug: #1666299
Change-Id: I974c482825686d49ad1dfd25eac00e85d0fc6b50
2017-02-22 09:11:32 -05:00
Douglas Mendizábal
39331ca5d2 Use Domains with Keystone v3 in functional tests
This patch enables configuration of domains when using Keystone v3
authentication in the functional test suite.

Change-Id: If7fbb1924ebb99dc93eacedc371369fe1fa6312f
2016-09-27 21:22:25 +00:00
Arun Kant
845b3d045b Adding functional tests for multiple backend changes (Part 5)
Change-Id: Iaf02d446a178baaa3e61d6a7267717822bd957f8
Partially-Implements: blueprint multiple-secret-backend
2016-09-14 10:18:37 -07:00
Arun Kant
ce6336f393 User with creator role can delete his/her own secret and container
Modified policy and tests to verify this change.

As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.

There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.

Updated role docs to reflect this behavior.

Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
2016-07-25 13:42:01 -07:00
Jenkins
2f421d98c4 Merge "Code cleanup" 2016-05-19 17:23:06 +00:00
Daniel Gonzalez
c6fbe7f466 Replace tempest-lib with tempest.lib
tempest-lib is deprecated, replace it with tempest.lib.

Closes-Bug: #1553047
Change-Id: Iaebffd042858a0777854d15f10fdd195ff24b340
2016-04-28 15:26:49 -05:00
Pan
d8d178599a Code cleanup
Some cleanup on common usage and patterns

Change-Id: I55c002b38618ebde0a86ab47de1447d7d3a44327
2016-04-28 15:13:53 -04:00
Arun Kant
19f69ccee2 Adding support for barbican host href to be derived from wsgi request
Currently barbican provides hostname part of hrefs returned in response
based on host_href value defined in barbican.conf.

This approach would not work if barbican API needs to be accessed via
public or internal endpoint as they can be different endpoints in
control planes. The endpoint used by client depends on which network client
is making the API request. For same reasons, keystone also allows different
endpoint for a service to expose as public or internal interface in service
catalog.

To allow that kind of deployment model for barbican service, now enhancing
its logic to derive this hostname (http_scheme+host+port) information from
wsgi requests when host_href value is not set in barbican.conf. So deployment
requiring this behavior can leave host_href blank in their barbican.conf. The
host_href needs to be set empty as not setting it results in default.

Generally in this kind of deployment, proxy (e.g. haproxy) will set
appropriate host, http scheme header. Request url received at barbican side
will have the client IP address and scheme inserted directly inside it.
Reference: https://en.wikipedia.org/wiki/X-Forwarded-For

Updated existing 'change host header' related functional test to skip when
host_href is not set in barbican server side. Added new functional tests when
hrefs are derived from wsgi request. New tests are skipped when host_href is
set at server side.

Added a flag in barbican-functional.conf to indicate barbican server setting
Default is to use CONF.host_href value. Explicit flag is added as functional
test setup may not always have barbican server conf available locally.

Change-Id: Idb8e62867f6cbd457eb64ea31500e93e74d247ea
Closes-Bug: 1541118
2016-04-13 09:33:56 -07:00
Jenkins
df8aab57fb Merge "Add a configurable setting in barbican-functional.conf for SSL" 2016-03-28 04:59:34 +00:00
Jenkins
d6a606d410 Merge "Add cleanup capability for secrets and containers" 2016-03-23 16:56:46 +00:00
Steve Heyman
c68acb2f28 Add a configurable setting in barbican-functional.conf for SSL
Normal requests from the functional tests specify verify=True to
validate certs.  However, for internal or test deployments you
may require verify=False.  This CR adds a line in
etc/barbican/barbican-functional.conf where you can configure
the setting for verify.

To set this, edit the etc/barbican/barbican-functional.conf
file and under the [keymanager] section, specify
verify_ssl=True (which is the default) or verify_ssl=False
to skip certificate validation.

Change-Id: Ie8eaa9348a938b9df31e9ff754bd2b5b78c26833
2016-03-23 09:30:53 -05:00
Steve Heyman
82de5e3175 Add a configurable setting in barbican-functional.conf for timeouts
When debugging API calls, you often timeout because of breakpoints.
The default value is 10 seconds which isn't long enough for debugging.
This CR makes that setting configurable in barbican-functional.conf
and retains the default of 10 seconds.

Change-Id: I51685d5df903088773cba4ca624bbd0360ed0d16
2016-03-21 14:17:58 -05:00
Steve Heyman
295dba14d2 Add cleanup capability for secrets and containers
Created cleanup functions for secrets and containers.  They can be
run just like a single testcase but they aren't included when you
run the functional test suite.

The serets cleanup is run using:

    nosetests functionaltests/api/v1/functional/test_secrets.py:SecretsTestCase._cleanup_all_secrets

The containers cleanup is run using:

    nosetests functionaltests/api/v1/functional/test_containers.py:ContainersTestCase._cleanup_all_containers

The cleanup code will walk through the list of functional test users
(ie the users specified in the barbican-functional.conf) and delete
all secrets and containers for those users.

You can use this in your own CI/CD process to ensure that a functional
test run always starts zero secrets/containers for the functional
test users.

Change-Id: I949f78729ea7b9a228676a23a2ebc11826e3baf8
2016-03-21 13:07:38 -05:00
Steve Heyman
1532f61b52 Fix http 500 when getting secret payload with no Acccept header
Functional tests had default values for Accept header which were
masking a bug when you try to GET a secret with /payload and don't
pass in an accept header.

Fixed this and also updated the functional test client to allow
tests to specify headers to be omitted on a test-by-test basis.

Change-Id: Ia67d37571ca3d561cdcc67ce3c4fb896def35a24
2016-02-21 20:48:46 -06:00
Steve Heyman
9e4bddbe8f Add secret=True so passwords do not get logged
Update config opts to add secret=True so that we do
not log sensitive information.

Change-Id: Iebf33dfdd4564a82fc1ef22685bd3ec842a0e85d
2016-01-22 12:50:59 -06:00
Arun Kant
ea95d8e768 Making barbican endpoint selection values to be configurable attributes.
Added configurable attributes in barbican functional config with current
values as default values. So it should not impact gate builds.

Change-Id: I4908e0da700154322183f82431c0a1a0f272cf52
Closes-bug: #1501462
2015-09-30 12:25:18 -07:00
jfwood
dea3b4817c Add default quota limit config to functional tests
Expected quota limits were -1, but deployers can change these defaults
so functional tests should also allow for these default limits to be
configured. This CR adds those configurations.

Change-Id: I889227560206cd60f774157e690d9341441ee76b
Closes-Bug: #1498525
2015-09-22 09:55:19 -05:00
Dave McCowan
9614a0c45b Introduce the key-manager:service-admin role
In Barbican, the admin role specifies a user that has complete
authority over resources within a project.  An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.

With the implementation of the quotas blueprint, there is a need for
a new limited purpose role.  This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.

This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.

The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas.  It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.

Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
2015-08-17 23:55:44 -04:00
Jenkins
1d6678704a Merge "Implement Configuration, Controllers, and Validators for Resource Quotas" 2015-07-22 14:51:46 +00:00
Dave McCowan
7bbf9e48ac Add RBAC Functional Test for ACL Opeations
Adding functional tests that verify that only roles who should have
access to operate on ACLs can operate on ACLs.

Operations Covered: Set, Get, Update, and Delete of ACLs
User Roles Covered: Admin, Creator, Observer, Auditor of Project under
                    test.  And Admin and Observer with token scoped
                    to a different project.

Change-Id: I0431de273062ee774ab70986c7e066a742215d3a
Relates-to: blueprint multi-user-functional-tests
2015-07-16 15:39:28 -05:00
Dave McCowan
ce5b32ac13 Implement Configuration, Controllers, and Validators for Resource Quotas
In the interest of smaller CRs, this CR partially implements the
quota support blueprint.  It includes code for configuration,
controller, and validator.  Also, the framework for unit and functional
tests.

The controllers process the URL rsources /qoutas and /project-quotas.
The configuration code reads the quota default values from the [quotas]
section of barbican.conf.  The validator code checks the validity of
the JSON sent with a POST /project-quotas/ API command.

Implements: blueprint quota-support-on-barbican-resources
Change-Id: Iad09b19cf6b9a6fa6b29d8b99e3f72172f801070
2015-07-13 16:24:55 +00:00
Steve Heyman
5e82cbeaec Add more users/roles to secret/container RBAC tests
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests.  This completes
the matrix of tests for secret and container GET.

Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.

Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
2015-05-22 16:07:16 -05:00
Dave McCowan
28135c1099 Add Multi-user support for Functional Tests
This commit adds the infrastructure for multi user testing.  It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.

Six users with four roles and two projects are added.
   In Project A: admin_a, creator_a, observer_a, auditor_a
   In Project B: admin_b, observer_b

Get Secrets and Get Containers are tested for each user.

Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests

Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
2015-05-08 17:06:54 -04:00
Douglas Mendizábal
829c7dc6e1 Fix base64 decoding of payloads in one-step POST
Fix the way that normalization was handling base64 encoding in a
one-step POST secret creation.

Previous to this CR, PEM payloads in a one-step POST with
payload_content_encoding="base64" were being converted to DER form,
which was inconsistent with the way content-encoding works with other
secret types.

This CR requires that PEM payloads be base64 encoded in their entirety
to be included in a one-step POST.

This also means that when a PEM payload is passed to the secret_store it
will be base64 encoded in its entirety, so secret stores that need to
use DER forms need to make the conversion internally in the plugin.
I will add the changes for the KMIP secret store in a follow-up CR.

Barbican core also expects PEM formatted payloads that have been base64
encoded back from the secret_store during a get, so those changes are
made as well.

Fixes-Bug: #1441866
Change-Id: Ifbe021729a14f18fddd05991f6f96e49fbcf5c01
Co-Authored-By: Dave McCowan <dmccowan@cisco.com>
2015-04-15 21:07:25 -07:00
Dave McCowan
0982ea7ffb Add new smoke tests for RSA type containers and secrets
This adds new functional tests that mimic the curl test
examples in doc/source/api/reference/secret_types.rst.

The new tests are:
  Create private secret with POST.
  Create private secret with POST and PUT.
  Create public secret with POST.
  Create public secret with POST and PUT.
  Create passphrase secret with POST.
  Create RSA container with POST.
  Order RSA container
  Order certifciates

The secrets used in this test are generated using OpenSSL.
Per the API reference, the stored and retrieved
secret values should match.

The secret formats are:
  private: PKCS#8 PEM
  public: PEM
  passphrase: text
  certificate: PEM

Secrets sent in JSON via POST are base64 encoded
Secrets sent in the body via POST and PUT are sent natively

The public and private tests fail pending a fix for 1441866.

Change-Id: I82d9864e0ee6e20d1f07b0f171c776ac4ea24171
2015-04-12 00:07:19 -04:00
John Vrbanac
a9eb91823d Making sure we allow all content-types for delete calls
Considering we don't care about the accept or content-type
headers for delete calls. This change allows for someone to use
whatever accept header for delete calls to orders and containers
by adding the allow_all_content_type decorator. This provides
better compatiblity across REST clients as some automatically
add the Accept application/json header to their calls. In
addition, this sets add the accept application/json header to
our functional tests. If we're testing how the app handles
headers, then those should be specific tests.

Change-Id: I7fb4ba7c30ade9a5d4392d85b1a367987c851752
2015-03-14 17:23:39 -05:00
Adam Harwell
4db87956df Fix functionaltest keystone URL fetch bug for v2
Change-Id: Iccc76bcc5fb3d73ea9738e5a8ec99554530c1e05
2015-03-13 10:21:33 -05:00
John Vrbanac
2a4fb02bb3 Replacing functional test authentication hookup
This change, replaces the authentication wrapper for our functional test
calls with a simple wrapper using Keystone client. As a result, this
change removes our dependence on Tempest trunk to run our functional
tests. Unfortunately, this was done primarally due to the uncompability
between Tempest's oslo.log and the oslo_log that we use in Barbican that
was causing our gates to fail and blocking merges across the project.

Change-Id: I0eee6a34d1ab5ca654e737d95c1e124465dc9c14
2015-03-11 02:39:33 -05:00
Juan Antonio Osorio Robles
10cb949501 Use urljoin instead of os.path.join
In the client used for the functional tests, os.path.join is being
used to attach segments of URLs. So urljoin is being proposed here
instead, since it's a more appropriate function for this.

Change-Id: Id43a349702e695fcc9630814def21dd48b23d0e8
2015-03-03 10:29:45 +02:00
Douglas Mendizabal
124d232e5c Remove version from endpoints in catalog
Remove the API version from the endpoints in the Keystone service
catalog.  The python-barbicanclient library expects the endpoint to not
include the version, and will add the version itself.  This is
recommended by the Keystone team as a better approach, since the service
catalog does not need to be updated in the event that a new API version
becomes available.

Change-Id: Ibb63113bcbd33d65c691cb242b5794b30114fb23
2015-02-27 11:26:10 -06:00
Dave McCowan
e4161ae87d Split override-url in functional test config file
BarbicanClient() needs to be able to build a base URL that can
either include or exclude the version string.  This commit
splits these to components in dev_tempest.conf to allow for this
support.

Change-Id: If08ad992c0706219f73c3769f4ab68e4bf9c51ae
Closes-bug: 1424393
2015-02-22 11:02:59 -05:00
Steve Heyman
215f0a5229 Run functional tests against any barbican server
This change allows you to specify a barbican server
in the etc/dev_tempest.conf file that overrides the
server specified in the keystone service catalog.

Change-Id: I1919b0c2cb20ef3b14f26622d6fc04d48cd55481
2015-02-04 17:07:58 -06:00
Steve Heyman
5098564e7a Add the ability to use either identity v2 or v3 API
The etc/dev_tempest.conf file specifies which version of
identity to use, but the functional tests only support v3.

This CR honors the version and supports either v2 or v3.

Change-Id: Ief4f404cc899f04a9819517538e0d554d1c11d34
2015-02-02 19:31:33 -06:00
Steve Heyman
08726233da Resolve intermittent HTTP 404 in devstack gate
An intermittent 404 would occur because of the way that
Tempest keystone v3 authprovider was resolving base URLs.
Barbican wasn't passing in a region code, and the tempest
v3 auth provider was picking the "first" entry in the
entrypoint list, which was often the Barbican admin URL
(port 9312).  Trying to use that port for normal Barbican
ReST calls resulted in the http 404.  This fix adds the
region to the devstack config and uses that on the filter
that Barbican gives to Tempest to find the correct
Barbican endpoint.

Change-Id: Ib6dd5aa79198463b5db2541d85de8e67b400212b
Closes-Bug: #1407767
2015-01-23 12:17:40 -06:00
Juan Antonio Osorio Robles
b77710c88a Fix UnicodeDecodeError's in the functional tests
While running the functional tests some UnicodeDecodeErrors are
triggered since the logger can't properly print some binary characters
that are provided in both the requests (When PUTing a secret) and the
responses (when GETing a secret). So this catches those errors and
sets the logged string to be properly printed, which helps debugging
for errors.

Change-Id: Ia61e4fc0891775c15d725ac8b2d5178e31ec9bf1
2015-01-14 10:01:53 +02:00
Juan Antonio Osorio Robles
d288d702eb Only de-serialize objects when possible
If the response obtained by the client in the functional tests was not
successful, the de-serialization into a model object will throw an
exception, since the response doesn't contain a JSON string that could
be used for creating such an object; It will contain the error code
and a relevant error message. This fixes that and also adds a little
bit more logging when de-serializing objects.

The reason for adding this is that, even though the exceptions that
this threw were caught at some point, it only generated unnecessary
noise in the logs.

Change-Id: I2fbf9ddbe21aaea3dcf112f4bff39942625599ff
2015-01-12 23:00:24 +02:00
Juan Antonio Osorio Robles
27c1b15df1 Use keystone v3 credentials for functional tests
Change-Id: I017bb6d85f4dea6b20926f825227f46b3c6f0942
Partially implements: blueprint replace-concept-of-tenants-for-projects
2014-12-17 01:02:29 +02:00
Thomas Dinkjian
0b8743948a Added smoke tests for consumers
Moved consumers tests from functional to smoke tests.
Added test to handle get consumers.
Also added consumer behaviors and the consumer model.

Change-Id: I3466fbf6c0f13ba9ea483a8251f19b00104968a3
2014-12-01 09:12:46 -06:00
Jenkins
4671c884be Merge "Use "key-manager" for service type" 2014-11-12 09:17:46 +00:00
Douglas Mendizabal
8a1df28d6e Use "key-manager" for service type
Use "key-manager" as the service type for the Keystone catalog, as it is
a better description of the service, and is more in-line with with the
official program name "Key Management Service".

Change-Id: I1c76dc8e3817b790c9a082c50684af85a1107166
2014-11-11 17:23:35 -06:00
Thomas Dinkjian
f6942fc476 Added support classes for secret functional tests
Includes changes to supporting behaviors, models, and utils.

Change-Id: Ib56105c60c8039737153323e81aa6218908b9104
2014-10-30 13:21:00 -05:00
Thomas Dinkjian
d559253f9b Smoke tests for secrets in Barbican Functional Tests
Also updated secret models and behaviors for a more usable api.
Modified client to create models using updated model API.

Change-Id: I414f4869e1013caec0a2e6c69e4e176aba4e43e7
2014-10-28 10:57:43 -05:00
John Vrbanac
7fd68bed37 Adding tox job for local functional test dev
* Also adding a couple basic log messages to highlight when
tests start and end.

Change-Id: Ib455d164209a7e9a3c9fb6fd4561ec196009a02e
2014-10-02 19:19:12 -05:00
Steve Heyman
018404b82e Refactor secret functional tests using models and behaviors
Updated the functional tests to use models and behaviors for secrets.
* Adding simple HATEOS-compatible rest client
* Fixing model de/serialization
* Modifying all tests to conform to the new client
* Adding option to load tempest config from local etc
* Incorporating review feedback

Change-Id: I497b4f7bf10a9f47ca399b569d964762505466c9
2014-09-25 19:01:50 -05:00