44 Commits

Author SHA1 Message Date
Tim Burke
5a294dd94a functionaltests: Add response headers to logging info
Notably, these should include X-Openstack-Request-Id which will help
correlate server logs with test failures.

Change-Id: I7471afb30afceb9e44b30e6749a022ef3d005a36
2019-01-15 06:17:41 +00:00
Jeremy Liu
bed85c63e1 Revert "Revert "Use devstack functions for deploying barbican-svc""
This reverts commit 3c6df48cbc28322559be89ce68e33de6d9263810.

Change-Id: If31494ccbce3aeddff0de6a28651a70a3e33dc65
Depends-On: Id7230198583355a83b1ee4acef3da7cde7118794
2017-09-04 08:42:19 +00:00
Kaitlin Farr
3c6df48cbc Revert "Use devstack functions for deploying barbican-svc"
Castellan unintentionally can't handle a barbican URL that has a path in
addition to the hostname, such as http://ip-address/key-manager, unless
it is followed by a forward slash (http://ip-address/key-manager/ ).  We
should either revert this change before rc1 or merge
https://review.openstack.org/#/c/491942/, make a new release of
Castellan, and beg for a change in upper-constraints for castellan to
handle the new release.

This reverts commit 508a34e23c05013a7ba1f33120c78e0da5cc8f28.

Change-Id: Iceb3a5fa890d64468cd6e7f5dec297d11a274d20
2017-08-08 22:39:11 +00:00
Matthew Treinish
508a34e23c Use devstack functions for deploying barbican-svc
This commit switches barbican to use the devstack common functions for
deploying a wsgi app under uwsgi and apache. This will make the barbican
deployment consistent with the other services.

Change-Id: I8429e9a8f0db98c5f5a345190be71cae862af845
2017-08-01 17:02:55 +00:00
Dave McCowan
2909fda016 Fixes for Running Functional Tests with Python 3.5
Fixing the standard things when making code py27/p35 compatible.

Also, removing the logging of the passed value of an HTTP
header.  If the value could not be encoded to log, then there
are Tracebacks that showed up with Python 3.5.  Since the value
can be passed by a user, it should either be scrubbed before logging
or not logged, to prevent possible content injection in the log
stream.

Change-Id: I8df1553acb6c7e5f75a1b50f024dc032ca982a93
2017-04-27 13:06:14 -04:00
Duan Jiong
470d76d138 Fix some reST field lists in docstrings
Probably the most common format for documenting arguments is reST field
lists [1]. This change updates some docstrings to comply with the field
lists syntax.

[1] http://sphinx-doc.org/domains.html#info-field-lists

Change-Id: I2f48183114b0f41dd9da18b7244219772844391c
2017-03-23 13:44:24 +08:00
Kaitlin Farr
8a057cdd40 Change tempest find_test_caller import
The tempest.lib.common.utils.misc.find_test_caller is
deprecated, replace with tempest.lib.common.utils.
test_utils.find_test_caller.

Closes-Bug: #1666299
Change-Id: I974c482825686d49ad1dfd25eac00e85d0fc6b50
2017-02-22 09:11:32 -05:00
Douglas Mendizábal
39331ca5d2 Use Domains with Keystone v3 in functional tests
This patch enables configuration of domains when using Keystone v3
authentication in the functional test suite.

Change-Id: If7fbb1924ebb99dc93eacedc371369fe1fa6312f
2016-09-27 21:22:25 +00:00
Arun Kant
ce6336f393 User with creator role can delete his/her own secret and container
Modified policy and tests to verify this change.

As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.

There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.

Updated role docs to reflect this behavior.

Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
2016-07-25 13:42:01 -07:00
Jenkins
2f421d98c4 Merge "Code cleanup" 2016-05-19 17:23:06 +00:00
Daniel Gonzalez
c6fbe7f466 Replace tempest-lib with tempest.lib
tempest-lib is deprecated, replace it with tempest.lib.

Closes-Bug: #1553047
Change-Id: Iaebffd042858a0777854d15f10fdd195ff24b340
2016-04-28 15:26:49 -05:00
Pan
d8d178599a Code cleanup
Some cleanup on common usage and patterns

Change-Id: I55c002b38618ebde0a86ab47de1447d7d3a44327
2016-04-28 15:13:53 -04:00
Jenkins
df8aab57fb Merge "Add a configurable setting in barbican-functional.conf for SSL" 2016-03-28 04:59:34 +00:00
Jenkins
d6a606d410 Merge "Add cleanup capability for secrets and containers" 2016-03-23 16:56:46 +00:00
Steve Heyman
c68acb2f28 Add a configurable setting in barbican-functional.conf for SSL
Normal requests from the functional tests specify verify=True to
validate certs.  However, for internal or test deployments you
may require verify=False.  This CR adds a line in
etc/barbican/barbican-functional.conf where you can configure
the setting for verify.

To set this, edit the etc/barbican/barbican-functional.conf
file and under the [keymanager] section, specify
verify_ssl=True (which is the default) or verify_ssl=False
to skip certificate validation.

Change-Id: Ie8eaa9348a938b9df31e9ff754bd2b5b78c26833
2016-03-23 09:30:53 -05:00
Steve Heyman
82de5e3175 Add a configurable setting in barbican-functional.conf for timeouts
When debugging API calls, you often timeout because of breakpoints.
The default value is 10 seconds which isn't long enough for debugging.
This CR makes that setting configurable in barbican-functional.conf
and retains the default of 10 seconds.

Change-Id: I51685d5df903088773cba4ca624bbd0360ed0d16
2016-03-21 14:17:58 -05:00
Steve Heyman
295dba14d2 Add cleanup capability for secrets and containers
Created cleanup functions for secrets and containers.  They can be
run just like a single testcase but they aren't included when you
run the functional test suite.

The serets cleanup is run using:

    nosetests functionaltests/api/v1/functional/test_secrets.py:SecretsTestCase._cleanup_all_secrets

The containers cleanup is run using:

    nosetests functionaltests/api/v1/functional/test_containers.py:ContainersTestCase._cleanup_all_containers

The cleanup code will walk through the list of functional test users
(ie the users specified in the barbican-functional.conf) and delete
all secrets and containers for those users.

You can use this in your own CI/CD process to ensure that a functional
test run always starts zero secrets/containers for the functional
test users.

Change-Id: I949f78729ea7b9a228676a23a2ebc11826e3baf8
2016-03-21 13:07:38 -05:00
Steve Heyman
1532f61b52 Fix http 500 when getting secret payload with no Acccept header
Functional tests had default values for Accept header which were
masking a bug when you try to GET a secret with /payload and don't
pass in an accept header.

Fixed this and also updated the functional test client to allow
tests to specify headers to be omitted on a test-by-test basis.

Change-Id: Ia67d37571ca3d561cdcc67ce3c4fb896def35a24
2016-02-21 20:48:46 -06:00
Arun Kant
ea95d8e768 Making barbican endpoint selection values to be configurable attributes.
Added configurable attributes in barbican functional config with current
values as default values. So it should not impact gate builds.

Change-Id: I4908e0da700154322183f82431c0a1a0f272cf52
Closes-bug: #1501462
2015-09-30 12:25:18 -07:00
Dave McCowan
9614a0c45b Introduce the key-manager:service-admin role
In Barbican, the admin role specifies a user that has complete
authority over resources within a project.  An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.

With the implementation of the quotas blueprint, there is a need for
a new limited purpose role.  This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.

This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.

The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas.  It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.

Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
2015-08-17 23:55:44 -04:00
Jenkins
1d6678704a Merge "Implement Configuration, Controllers, and Validators for Resource Quotas" 2015-07-22 14:51:46 +00:00
Dave McCowan
7bbf9e48ac Add RBAC Functional Test for ACL Opeations
Adding functional tests that verify that only roles who should have
access to operate on ACLs can operate on ACLs.

Operations Covered: Set, Get, Update, and Delete of ACLs
User Roles Covered: Admin, Creator, Observer, Auditor of Project under
                    test.  And Admin and Observer with token scoped
                    to a different project.

Change-Id: I0431de273062ee774ab70986c7e066a742215d3a
Relates-to: blueprint multi-user-functional-tests
2015-07-16 15:39:28 -05:00
Dave McCowan
ce5b32ac13 Implement Configuration, Controllers, and Validators for Resource Quotas
In the interest of smaller CRs, this CR partially implements the
quota support blueprint.  It includes code for configuration,
controller, and validator.  Also, the framework for unit and functional
tests.

The controllers process the URL rsources /qoutas and /project-quotas.
The configuration code reads the quota default values from the [quotas]
section of barbican.conf.  The validator code checks the validity of
the JSON sent with a POST /project-quotas/ API command.

Implements: blueprint quota-support-on-barbican-resources
Change-Id: Iad09b19cf6b9a6fa6b29d8b99e3f72172f801070
2015-07-13 16:24:55 +00:00
Steve Heyman
5e82cbeaec Add more users/roles to secret/container RBAC tests
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests.  This completes
the matrix of tests for secret and container GET.

Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.

Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
2015-05-22 16:07:16 -05:00
Dave McCowan
28135c1099 Add Multi-user support for Functional Tests
This commit adds the infrastructure for multi user testing.  It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.

Six users with four roles and two projects are added.
   In Project A: admin_a, creator_a, observer_a, auditor_a
   In Project B: admin_b, observer_b

Get Secrets and Get Containers are tested for each user.

Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests

Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
2015-05-08 17:06:54 -04:00
John Vrbanac
a9eb91823d Making sure we allow all content-types for delete calls
Considering we don't care about the accept or content-type
headers for delete calls. This change allows for someone to use
whatever accept header for delete calls to orders and containers
by adding the allow_all_content_type decorator. This provides
better compatiblity across REST clients as some automatically
add the Accept application/json header to their calls. In
addition, this sets add the accept application/json header to
our functional tests. If we're testing how the app handles
headers, then those should be specific tests.

Change-Id: I7fb4ba7c30ade9a5d4392d85b1a367987c851752
2015-03-14 17:23:39 -05:00
Adam Harwell
4db87956df Fix functionaltest keystone URL fetch bug for v2
Change-Id: Iccc76bcc5fb3d73ea9738e5a8ec99554530c1e05
2015-03-13 10:21:33 -05:00
John Vrbanac
2a4fb02bb3 Replacing functional test authentication hookup
This change, replaces the authentication wrapper for our functional test
calls with a simple wrapper using Keystone client. As a result, this
change removes our dependence on Tempest trunk to run our functional
tests. Unfortunately, this was done primarally due to the uncompability
between Tempest's oslo.log and the oslo_log that we use in Barbican that
was causing our gates to fail and blocking merges across the project.

Change-Id: I0eee6a34d1ab5ca654e737d95c1e124465dc9c14
2015-03-11 02:39:33 -05:00
Juan Antonio Osorio Robles
10cb949501 Use urljoin instead of os.path.join
In the client used for the functional tests, os.path.join is being
used to attach segments of URLs. So urljoin is being proposed here
instead, since it's a more appropriate function for this.

Change-Id: Id43a349702e695fcc9630814def21dd48b23d0e8
2015-03-03 10:29:45 +02:00
Douglas Mendizabal
124d232e5c Remove version from endpoints in catalog
Remove the API version from the endpoints in the Keystone service
catalog.  The python-barbicanclient library expects the endpoint to not
include the version, and will add the version itself.  This is
recommended by the Keystone team as a better approach, since the service
catalog does not need to be updated in the event that a new API version
becomes available.

Change-Id: Ibb63113bcbd33d65c691cb242b5794b30114fb23
2015-02-27 11:26:10 -06:00
Dave McCowan
e4161ae87d Split override-url in functional test config file
BarbicanClient() needs to be able to build a base URL that can
either include or exclude the version string.  This commit
splits these to components in dev_tempest.conf to allow for this
support.

Change-Id: If08ad992c0706219f73c3769f4ab68e4bf9c51ae
Closes-bug: 1424393
2015-02-22 11:02:59 -05:00
Steve Heyman
215f0a5229 Run functional tests against any barbican server
This change allows you to specify a barbican server
in the etc/dev_tempest.conf file that overrides the
server specified in the keystone service catalog.

Change-Id: I1919b0c2cb20ef3b14f26622d6fc04d48cd55481
2015-02-04 17:07:58 -06:00
Steve Heyman
5098564e7a Add the ability to use either identity v2 or v3 API
The etc/dev_tempest.conf file specifies which version of
identity to use, but the functional tests only support v3.

This CR honors the version and supports either v2 or v3.

Change-Id: Ief4f404cc899f04a9819517538e0d554d1c11d34
2015-02-02 19:31:33 -06:00
Steve Heyman
08726233da Resolve intermittent HTTP 404 in devstack gate
An intermittent 404 would occur because of the way that
Tempest keystone v3 authprovider was resolving base URLs.
Barbican wasn't passing in a region code, and the tempest
v3 auth provider was picking the "first" entry in the
entrypoint list, which was often the Barbican admin URL
(port 9312).  Trying to use that port for normal Barbican
ReST calls resulted in the http 404.  This fix adds the
region to the devstack config and uses that on the filter
that Barbican gives to Tempest to find the correct
Barbican endpoint.

Change-Id: Ib6dd5aa79198463b5db2541d85de8e67b400212b
Closes-Bug: #1407767
2015-01-23 12:17:40 -06:00
Juan Antonio Osorio Robles
b77710c88a Fix UnicodeDecodeError's in the functional tests
While running the functional tests some UnicodeDecodeErrors are
triggered since the logger can't properly print some binary characters
that are provided in both the requests (When PUTing a secret) and the
responses (when GETing a secret). So this catches those errors and
sets the logged string to be properly printed, which helps debugging
for errors.

Change-Id: Ia61e4fc0891775c15d725ac8b2d5178e31ec9bf1
2015-01-14 10:01:53 +02:00
Juan Antonio Osorio Robles
d288d702eb Only de-serialize objects when possible
If the response obtained by the client in the functional tests was not
successful, the de-serialization into a model object will throw an
exception, since the response doesn't contain a JSON string that could
be used for creating such an object; It will contain the error code
and a relevant error message. This fixes that and also adds a little
bit more logging when de-serializing objects.

The reason for adding this is that, even though the exceptions that
this threw were caught at some point, it only generated unnecessary
noise in the logs.

Change-Id: I2fbf9ddbe21aaea3dcf112f4bff39942625599ff
2015-01-12 23:00:24 +02:00
Juan Antonio Osorio Robles
27c1b15df1 Use keystone v3 credentials for functional tests
Change-Id: I017bb6d85f4dea6b20926f825227f46b3c6f0942
Partially implements: blueprint replace-concept-of-tenants-for-projects
2014-12-17 01:02:29 +02:00
Thomas Dinkjian
0b8743948a Added smoke tests for consumers
Moved consumers tests from functional to smoke tests.
Added test to handle get consumers.
Also added consumer behaviors and the consumer model.

Change-Id: I3466fbf6c0f13ba9ea483a8251f19b00104968a3
2014-12-01 09:12:46 -06:00
Jenkins
4671c884be Merge "Use "key-manager" for service type" 2014-11-12 09:17:46 +00:00
Douglas Mendizabal
8a1df28d6e Use "key-manager" for service type
Use "key-manager" as the service type for the Keystone catalog, as it is
a better description of the service, and is more in-line with with the
official program name "Key Management Service".

Change-Id: I1c76dc8e3817b790c9a082c50684af85a1107166
2014-11-11 17:23:35 -06:00
Thomas Dinkjian
f6942fc476 Added support classes for secret functional tests
Includes changes to supporting behaviors, models, and utils.

Change-Id: Ib56105c60c8039737153323e81aa6218908b9104
2014-10-30 13:21:00 -05:00
Thomas Dinkjian
d559253f9b Smoke tests for secrets in Barbican Functional Tests
Also updated secret models and behaviors for a more usable api.
Modified client to create models using updated model API.

Change-Id: I414f4869e1013caec0a2e6c69e4e176aba4e43e7
2014-10-28 10:57:43 -05:00
John Vrbanac
7fd68bed37 Adding tox job for local functional test dev
* Also adding a couple basic log messages to highlight when
tests start and end.

Change-Id: Ib455d164209a7e9a3c9fb6fd4561ec196009a02e
2014-10-02 19:19:12 -05:00
Steve Heyman
018404b82e Refactor secret functional tests using models and behaviors
Updated the functional tests to use models and behaviors for secrets.
* Adding simple HATEOS-compatible rest client
* Fixing model de/serialization
* Modifying all tests to conform to the new client
* Adding option to load tempest config from local etc
* Incorporating review feedback

Change-Id: I497b4f7bf10a9f47ca399b569d964762505466c9
2014-09-25 19:01:50 -05:00