Notably, these should include X-Openstack-Request-Id which will help
correlate server logs with test failures.
Change-Id: I7471afb30afceb9e44b30e6749a022ef3d005a36
Castellan unintentionally can't handle a barbican URL that has a path in
addition to the hostname, such as http://ip-address/key-manager, unless
it is followed by a forward slash (http://ip-address/key-manager/ ). We
should either revert this change before rc1 or merge
https://review.openstack.org/#/c/491942/, make a new release of
Castellan, and beg for a change in upper-constraints for castellan to
handle the new release.
This reverts commit 508a34e23c05013a7ba1f33120c78e0da5cc8f28.
Change-Id: Iceb3a5fa890d64468cd6e7f5dec297d11a274d20
This commit switches barbican to use the devstack common functions for
deploying a wsgi app under uwsgi and apache. This will make the barbican
deployment consistent with the other services.
Change-Id: I8429e9a8f0db98c5f5a345190be71cae862af845
Fixing the standard things when making code py27/p35 compatible.
Also, removing the logging of the passed value of an HTTP
header. If the value could not be encoded to log, then there
are Tracebacks that showed up with Python 3.5. Since the value
can be passed by a user, it should either be scrubbed before logging
or not logged, to prevent possible content injection in the log
stream.
Change-Id: I8df1553acb6c7e5f75a1b50f024dc032ca982a93
Probably the most common format for documenting arguments is reST field
lists [1]. This change updates some docstrings to comply with the field
lists syntax.
[1] http://sphinx-doc.org/domains.html#info-field-lists
Change-Id: I2f48183114b0f41dd9da18b7244219772844391c
The tempest.lib.common.utils.misc.find_test_caller is
deprecated, replace with tempest.lib.common.utils.
test_utils.find_test_caller.
Closes-Bug: #1666299
Change-Id: I974c482825686d49ad1dfd25eac00e85d0fc6b50
This patch enables configuration of domains when using Keystone v3
authentication in the functional test suite.
Change-Id: If7fbb1924ebb99dc93eacedc371369fe1fa6312f
Modified policy and tests to verify this change.
As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.
There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.
Updated role docs to reflect this behavior.
Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
Normal requests from the functional tests specify verify=True to
validate certs. However, for internal or test deployments you
may require verify=False. This CR adds a line in
etc/barbican/barbican-functional.conf where you can configure
the setting for verify.
To set this, edit the etc/barbican/barbican-functional.conf
file and under the [keymanager] section, specify
verify_ssl=True (which is the default) or verify_ssl=False
to skip certificate validation.
Change-Id: Ie8eaa9348a938b9df31e9ff754bd2b5b78c26833
When debugging API calls, you often timeout because of breakpoints.
The default value is 10 seconds which isn't long enough for debugging.
This CR makes that setting configurable in barbican-functional.conf
and retains the default of 10 seconds.
Change-Id: I51685d5df903088773cba4ca624bbd0360ed0d16
Created cleanup functions for secrets and containers. They can be
run just like a single testcase but they aren't included when you
run the functional test suite.
The serets cleanup is run using:
nosetests functionaltests/api/v1/functional/test_secrets.py:SecretsTestCase._cleanup_all_secrets
The containers cleanup is run using:
nosetests functionaltests/api/v1/functional/test_containers.py:ContainersTestCase._cleanup_all_containers
The cleanup code will walk through the list of functional test users
(ie the users specified in the barbican-functional.conf) and delete
all secrets and containers for those users.
You can use this in your own CI/CD process to ensure that a functional
test run always starts zero secrets/containers for the functional
test users.
Change-Id: I949f78729ea7b9a228676a23a2ebc11826e3baf8
Functional tests had default values for Accept header which were
masking a bug when you try to GET a secret with /payload and don't
pass in an accept header.
Fixed this and also updated the functional test client to allow
tests to specify headers to be omitted on a test-by-test basis.
Change-Id: Ia67d37571ca3d561cdcc67ce3c4fb896def35a24
Added configurable attributes in barbican functional config with current
values as default values. So it should not impact gate builds.
Change-Id: I4908e0da700154322183f82431c0a1a0f272cf52
Closes-bug: #1501462
In Barbican, the admin role specifies a user that has complete
authority over resources within a project. An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.
With the implementation of the quotas blueprint, there is a need for
a new limited purpose role. This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.
This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.
The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas. It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.
Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
Adding functional tests that verify that only roles who should have
access to operate on ACLs can operate on ACLs.
Operations Covered: Set, Get, Update, and Delete of ACLs
User Roles Covered: Admin, Creator, Observer, Auditor of Project under
test. And Admin and Observer with token scoped
to a different project.
Change-Id: I0431de273062ee774ab70986c7e066a742215d3a
Relates-to: blueprint multi-user-functional-tests
In the interest of smaller CRs, this CR partially implements the
quota support blueprint. It includes code for configuration,
controller, and validator. Also, the framework for unit and functional
tests.
The controllers process the URL rsources /qoutas and /project-quotas.
The configuration code reads the quota default values from the [quotas]
section of barbican.conf. The validator code checks the validity of
the JSON sent with a POST /project-quotas/ API command.
Implements: blueprint quota-support-on-barbican-resources
Change-Id: Iad09b19cf6b9a6fa6b29d8b99e3f72172f801070
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests. This completes
the matrix of tests for secret and container GET.
Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.
Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
This commit adds the infrastructure for multi user testing. It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.
Six users with four roles and two projects are added.
In Project A: admin_a, creator_a, observer_a, auditor_a
In Project B: admin_b, observer_b
Get Secrets and Get Containers are tested for each user.
Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests
Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
Considering we don't care about the accept or content-type
headers for delete calls. This change allows for someone to use
whatever accept header for delete calls to orders and containers
by adding the allow_all_content_type decorator. This provides
better compatiblity across REST clients as some automatically
add the Accept application/json header to their calls. In
addition, this sets add the accept application/json header to
our functional tests. If we're testing how the app handles
headers, then those should be specific tests.
Change-Id: I7fb4ba7c30ade9a5d4392d85b1a367987c851752
This change, replaces the authentication wrapper for our functional test
calls with a simple wrapper using Keystone client. As a result, this
change removes our dependence on Tempest trunk to run our functional
tests. Unfortunately, this was done primarally due to the uncompability
between Tempest's oslo.log and the oslo_log that we use in Barbican that
was causing our gates to fail and blocking merges across the project.
Change-Id: I0eee6a34d1ab5ca654e737d95c1e124465dc9c14
In the client used for the functional tests, os.path.join is being
used to attach segments of URLs. So urljoin is being proposed here
instead, since it's a more appropriate function for this.
Change-Id: Id43a349702e695fcc9630814def21dd48b23d0e8
Remove the API version from the endpoints in the Keystone service
catalog. The python-barbicanclient library expects the endpoint to not
include the version, and will add the version itself. This is
recommended by the Keystone team as a better approach, since the service
catalog does not need to be updated in the event that a new API version
becomes available.
Change-Id: Ibb63113bcbd33d65c691cb242b5794b30114fb23
BarbicanClient() needs to be able to build a base URL that can
either include or exclude the version string. This commit
splits these to components in dev_tempest.conf to allow for this
support.
Change-Id: If08ad992c0706219f73c3769f4ab68e4bf9c51ae
Closes-bug: 1424393
This change allows you to specify a barbican server
in the etc/dev_tempest.conf file that overrides the
server specified in the keystone service catalog.
Change-Id: I1919b0c2cb20ef3b14f26622d6fc04d48cd55481
The etc/dev_tempest.conf file specifies which version of
identity to use, but the functional tests only support v3.
This CR honors the version and supports either v2 or v3.
Change-Id: Ief4f404cc899f04a9819517538e0d554d1c11d34
An intermittent 404 would occur because of the way that
Tempest keystone v3 authprovider was resolving base URLs.
Barbican wasn't passing in a region code, and the tempest
v3 auth provider was picking the "first" entry in the
entrypoint list, which was often the Barbican admin URL
(port 9312). Trying to use that port for normal Barbican
ReST calls resulted in the http 404. This fix adds the
region to the devstack config and uses that on the filter
that Barbican gives to Tempest to find the correct
Barbican endpoint.
Change-Id: Ib6dd5aa79198463b5db2541d85de8e67b400212b
Closes-Bug: #1407767
While running the functional tests some UnicodeDecodeErrors are
triggered since the logger can't properly print some binary characters
that are provided in both the requests (When PUTing a secret) and the
responses (when GETing a secret). So this catches those errors and
sets the logged string to be properly printed, which helps debugging
for errors.
Change-Id: Ia61e4fc0891775c15d725ac8b2d5178e31ec9bf1
If the response obtained by the client in the functional tests was not
successful, the de-serialization into a model object will throw an
exception, since the response doesn't contain a JSON string that could
be used for creating such an object; It will contain the error code
and a relevant error message. This fixes that and also adds a little
bit more logging when de-serializing objects.
The reason for adding this is that, even though the exceptions that
this threw were caught at some point, it only generated unnecessary
noise in the logs.
Change-Id: I2fbf9ddbe21aaea3dcf112f4bff39942625599ff
Moved consumers tests from functional to smoke tests.
Added test to handle get consumers.
Also added consumer behaviors and the consumer model.
Change-Id: I3466fbf6c0f13ba9ea483a8251f19b00104968a3
Use "key-manager" as the service type for the Keystone catalog, as it is
a better description of the service, and is more in-line with with the
official program name "Key Management Service".
Change-Id: I1c76dc8e3817b790c9a082c50684af85a1107166
Also updated secret models and behaviors for a more usable api.
Modified client to create models using updated model API.
Change-Id: I414f4869e1013caec0a2e6c69e4e176aba4e43e7
Updated the functional tests to use models and behaviors for secrets.
* Adding simple HATEOS-compatible rest client
* Fixing model de/serialization
* Modifying all tests to conform to the new client
* Adding option to load tempest config from local etc
* Incorporating review feedback
Change-Id: I497b4f7bf10a9f47ca399b569d964762505466c9