The tempest.lib.common.utils.misc.find_test_caller is
deprecated, replace with tempest.lib.common.utils.
test_utils.find_test_caller.
Closes-Bug: #1666299
Change-Id: I974c482825686d49ad1dfd25eac00e85d0fc6b50
This patch enables configuration of domains when using Keystone v3
authentication in the functional test suite.
Change-Id: If7fbb1924ebb99dc93eacedc371369fe1fa6312f
Modified policy and tests to verify this change.
As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.
There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.
Updated role docs to reflect this behavior.
Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
Currently barbican provides hostname part of hrefs returned in response
based on host_href value defined in barbican.conf.
This approach would not work if barbican API needs to be accessed via
public or internal endpoint as they can be different endpoints in
control planes. The endpoint used by client depends on which network client
is making the API request. For same reasons, keystone also allows different
endpoint for a service to expose as public or internal interface in service
catalog.
To allow that kind of deployment model for barbican service, now enhancing
its logic to derive this hostname (http_scheme+host+port) information from
wsgi requests when host_href value is not set in barbican.conf. So deployment
requiring this behavior can leave host_href blank in their barbican.conf. The
host_href needs to be set empty as not setting it results in default.
Generally in this kind of deployment, proxy (e.g. haproxy) will set
appropriate host, http scheme header. Request url received at barbican side
will have the client IP address and scheme inserted directly inside it.
Reference: https://en.wikipedia.org/wiki/X-Forwarded-For
Updated existing 'change host header' related functional test to skip when
host_href is not set in barbican server side. Added new functional tests when
hrefs are derived from wsgi request. New tests are skipped when host_href is
set at server side.
Added a flag in barbican-functional.conf to indicate barbican server setting
Default is to use CONF.host_href value. Explicit flag is added as functional
test setup may not always have barbican server conf available locally.
Change-Id: Idb8e62867f6cbd457eb64ea31500e93e74d247ea
Closes-Bug: 1541118
Normal requests from the functional tests specify verify=True to
validate certs. However, for internal or test deployments you
may require verify=False. This CR adds a line in
etc/barbican/barbican-functional.conf where you can configure
the setting for verify.
To set this, edit the etc/barbican/barbican-functional.conf
file and under the [keymanager] section, specify
verify_ssl=True (which is the default) or verify_ssl=False
to skip certificate validation.
Change-Id: Ie8eaa9348a938b9df31e9ff754bd2b5b78c26833
When debugging API calls, you often timeout because of breakpoints.
The default value is 10 seconds which isn't long enough for debugging.
This CR makes that setting configurable in barbican-functional.conf
and retains the default of 10 seconds.
Change-Id: I51685d5df903088773cba4ca624bbd0360ed0d16
Created cleanup functions for secrets and containers. They can be
run just like a single testcase but they aren't included when you
run the functional test suite.
The serets cleanup is run using:
nosetests functionaltests/api/v1/functional/test_secrets.py:SecretsTestCase._cleanup_all_secrets
The containers cleanup is run using:
nosetests functionaltests/api/v1/functional/test_containers.py:ContainersTestCase._cleanup_all_containers
The cleanup code will walk through the list of functional test users
(ie the users specified in the barbican-functional.conf) and delete
all secrets and containers for those users.
You can use this in your own CI/CD process to ensure that a functional
test run always starts zero secrets/containers for the functional
test users.
Change-Id: I949f78729ea7b9a228676a23a2ebc11826e3baf8
Functional tests had default values for Accept header which were
masking a bug when you try to GET a secret with /payload and don't
pass in an accept header.
Fixed this and also updated the functional test client to allow
tests to specify headers to be omitted on a test-by-test basis.
Change-Id: Ia67d37571ca3d561cdcc67ce3c4fb896def35a24
Added configurable attributes in barbican functional config with current
values as default values. So it should not impact gate builds.
Change-Id: I4908e0da700154322183f82431c0a1a0f272cf52
Closes-bug: #1501462
Expected quota limits were -1, but deployers can change these defaults
so functional tests should also allow for these default limits to be
configured. This CR adds those configurations.
Change-Id: I889227560206cd60f774157e690d9341441ee76b
Closes-Bug: #1498525
In Barbican, the admin role specifies a user that has complete
authority over resources within a project. An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.
With the implementation of the quotas blueprint, there is a need for
a new limited purpose role. This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.
This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.
The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas. It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.
Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
Adding functional tests that verify that only roles who should have
access to operate on ACLs can operate on ACLs.
Operations Covered: Set, Get, Update, and Delete of ACLs
User Roles Covered: Admin, Creator, Observer, Auditor of Project under
test. And Admin and Observer with token scoped
to a different project.
Change-Id: I0431de273062ee774ab70986c7e066a742215d3a
Relates-to: blueprint multi-user-functional-tests
In the interest of smaller CRs, this CR partially implements the
quota support blueprint. It includes code for configuration,
controller, and validator. Also, the framework for unit and functional
tests.
The controllers process the URL rsources /qoutas and /project-quotas.
The configuration code reads the quota default values from the [quotas]
section of barbican.conf. The validator code checks the validity of
the JSON sent with a POST /project-quotas/ API command.
Implements: blueprint quota-support-on-barbican-resources
Change-Id: Iad09b19cf6b9a6fa6b29d8b99e3f72172f801070
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests. This completes
the matrix of tests for secret and container GET.
Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.
Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
This commit adds the infrastructure for multi user testing. It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.
Six users with four roles and two projects are added.
In Project A: admin_a, creator_a, observer_a, auditor_a
In Project B: admin_b, observer_b
Get Secrets and Get Containers are tested for each user.
Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests
Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
Fix the way that normalization was handling base64 encoding in a
one-step POST secret creation.
Previous to this CR, PEM payloads in a one-step POST with
payload_content_encoding="base64" were being converted to DER form,
which was inconsistent with the way content-encoding works with other
secret types.
This CR requires that PEM payloads be base64 encoded in their entirety
to be included in a one-step POST.
This also means that when a PEM payload is passed to the secret_store it
will be base64 encoded in its entirety, so secret stores that need to
use DER forms need to make the conversion internally in the plugin.
I will add the changes for the KMIP secret store in a follow-up CR.
Barbican core also expects PEM formatted payloads that have been base64
encoded back from the secret_store during a get, so those changes are
made as well.
Fixes-Bug: #1441866
Change-Id: Ifbe021729a14f18fddd05991f6f96e49fbcf5c01
Co-Authored-By: Dave McCowan <dmccowan@cisco.com>
This adds new functional tests that mimic the curl test
examples in doc/source/api/reference/secret_types.rst.
The new tests are:
Create private secret with POST.
Create private secret with POST and PUT.
Create public secret with POST.
Create public secret with POST and PUT.
Create passphrase secret with POST.
Create RSA container with POST.
Order RSA container
Order certifciates
The secrets used in this test are generated using OpenSSL.
Per the API reference, the stored and retrieved
secret values should match.
The secret formats are:
private: PKCS#8 PEM
public: PEM
passphrase: text
certificate: PEM
Secrets sent in JSON via POST are base64 encoded
Secrets sent in the body via POST and PUT are sent natively
The public and private tests fail pending a fix for 1441866.
Change-Id: I82d9864e0ee6e20d1f07b0f171c776ac4ea24171
Considering we don't care about the accept or content-type
headers for delete calls. This change allows for someone to use
whatever accept header for delete calls to orders and containers
by adding the allow_all_content_type decorator. This provides
better compatiblity across REST clients as some automatically
add the Accept application/json header to their calls. In
addition, this sets add the accept application/json header to
our functional tests. If we're testing how the app handles
headers, then those should be specific tests.
Change-Id: I7fb4ba7c30ade9a5d4392d85b1a367987c851752
This change, replaces the authentication wrapper for our functional test
calls with a simple wrapper using Keystone client. As a result, this
change removes our dependence on Tempest trunk to run our functional
tests. Unfortunately, this was done primarally due to the uncompability
between Tempest's oslo.log and the oslo_log that we use in Barbican that
was causing our gates to fail and blocking merges across the project.
Change-Id: I0eee6a34d1ab5ca654e737d95c1e124465dc9c14
In the client used for the functional tests, os.path.join is being
used to attach segments of URLs. So urljoin is being proposed here
instead, since it's a more appropriate function for this.
Change-Id: Id43a349702e695fcc9630814def21dd48b23d0e8
Remove the API version from the endpoints in the Keystone service
catalog. The python-barbicanclient library expects the endpoint to not
include the version, and will add the version itself. This is
recommended by the Keystone team as a better approach, since the service
catalog does not need to be updated in the event that a new API version
becomes available.
Change-Id: Ibb63113bcbd33d65c691cb242b5794b30114fb23
BarbicanClient() needs to be able to build a base URL that can
either include or exclude the version string. This commit
splits these to components in dev_tempest.conf to allow for this
support.
Change-Id: If08ad992c0706219f73c3769f4ab68e4bf9c51ae
Closes-bug: 1424393
This change allows you to specify a barbican server
in the etc/dev_tempest.conf file that overrides the
server specified in the keystone service catalog.
Change-Id: I1919b0c2cb20ef3b14f26622d6fc04d48cd55481
The etc/dev_tempest.conf file specifies which version of
identity to use, but the functional tests only support v3.
This CR honors the version and supports either v2 or v3.
Change-Id: Ief4f404cc899f04a9819517538e0d554d1c11d34
An intermittent 404 would occur because of the way that
Tempest keystone v3 authprovider was resolving base URLs.
Barbican wasn't passing in a region code, and the tempest
v3 auth provider was picking the "first" entry in the
entrypoint list, which was often the Barbican admin URL
(port 9312). Trying to use that port for normal Barbican
ReST calls resulted in the http 404. This fix adds the
region to the devstack config and uses that on the filter
that Barbican gives to Tempest to find the correct
Barbican endpoint.
Change-Id: Ib6dd5aa79198463b5db2541d85de8e67b400212b
Closes-Bug: #1407767
While running the functional tests some UnicodeDecodeErrors are
triggered since the logger can't properly print some binary characters
that are provided in both the requests (When PUTing a secret) and the
responses (when GETing a secret). So this catches those errors and
sets the logged string to be properly printed, which helps debugging
for errors.
Change-Id: Ia61e4fc0891775c15d725ac8b2d5178e31ec9bf1
If the response obtained by the client in the functional tests was not
successful, the de-serialization into a model object will throw an
exception, since the response doesn't contain a JSON string that could
be used for creating such an object; It will contain the error code
and a relevant error message. This fixes that and also adds a little
bit more logging when de-serializing objects.
The reason for adding this is that, even though the exceptions that
this threw were caught at some point, it only generated unnecessary
noise in the logs.
Change-Id: I2fbf9ddbe21aaea3dcf112f4bff39942625599ff
Moved consumers tests from functional to smoke tests.
Added test to handle get consumers.
Also added consumer behaviors and the consumer model.
Change-Id: I3466fbf6c0f13ba9ea483a8251f19b00104968a3
Use "key-manager" as the service type for the Keystone catalog, as it is
a better description of the service, and is more in-line with with the
official program name "Key Management Service".
Change-Id: I1c76dc8e3817b790c9a082c50684af85a1107166
Also updated secret models and behaviors for a more usable api.
Modified client to create models using updated model API.
Change-Id: I414f4869e1013caec0a2e6c69e4e176aba4e43e7
Updated the functional tests to use models and behaviors for secrets.
* Adding simple HATEOS-compatible rest client
* Fixing model de/serialization
* Modifying all tests to conform to the new client
* Adding option to load tempest config from local etc
* Incorporating review feedback
Change-Id: I497b4f7bf10a9f47ca399b569d964762505466c9