Add option to disable testing against external idp

Currently, the federation tests are non-voting because they require
connecting to an external service that is not under our control, and is
therefore unreliable. Non-voting tests are a problem because they are
often ignored even when their results are related to new changes. This
change adds a tempest config option
``[identity-feature-enabled]/external_idp``, defaulting to true for
backwards compatibility, which when disabled causes the tests that rely
on the external IdP to be disabled leaving only the K2K federation tests
to be executed. Exercising only the K2K tests is still a good means of
regression testing and we can safely make those tests voting.

Change-Id: I534470df7ca529511ab9a7631f167ec2035ab4be

keystone_tempest_plugin/config.py

@@ -20,6 +20,11 @@ identity_feature_option = [
                 default=False,
                 help='Does the environment support the Federated Identity '
                      'feature?'),
+    cfg.BoolOpt('external_idp',
+                default=True,
+                help='Whether to test federated scenarios against an external '
+                     'identity provider. If disabled, only '
+                     'Keystone-to-Keystone tests will be enabled.'),
 ]
 
 fed_scenario_group = cfg.OptGroup(name='fed_scenario',

keystone_tempest_plugin/tests/scenario/test_federated_authentication.py

@@ -183,14 +183,10 @@ class TestSaml2EcpFederatedAuthentication(base.BaseIdentityTest):
 
         return resp
 
-    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
-                          "Federated Identity feature not enabled")
-    def test_request_unscoped_token(self):
+    def _test_request_unscoped_token(self):
         self._request_unscoped_token()
 
-    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
-                          "Federated Identity feature not enabled")
-    def test_request_scoped_token(self):
+    def _test_request_scoped_token(self):
         resp = self._request_unscoped_token()
         token_id = resp.headers['X-Subject-Token']
 
@@ -203,6 +199,24 @@ class TestSaml2EcpFederatedAuthentication(base.BaseIdentityTest):
             project_id=projects[0]['id'], token=token_id)
 
 
+class TestSaml2FederatedExternalAuthentication(
+    TestSaml2EcpFederatedAuthentication):
+
+    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+                          "Federated Identity feature not enabled")
+    @testtools.skipUnless(CONF.identity_feature_enabled.external_idp,
+                          "External identity provider is not available")
+    def test_request_unscoped_token(self):
+        self._test_request_unscoped_token()
+
+    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+                          "Federated Identity feature not enabled")
+    @testtools.skipUnless(CONF.identity_feature_enabled.external_idp,
+                          "External identity provider is not available")
+    def test_request_scoped_token(self):
+        self._test_request_scoped_token()
+
+
 class TestK2KFederatedAuthentication(TestSaml2EcpFederatedAuthentication):
 
     def setUp(self):
@@ -253,3 +267,13 @@ class TestK2KFederatedAuthentication(TestSaml2EcpFederatedAuthentication):
         self.auth_client.expected_success(200, resp.status)
 
         return etree.XML(saml), self.sp_url
+
+    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+                          "Federated Identity feature not enabled")
+    def test_request_unscoped_token(self):
+        self._test_request_unscoped_token()
+
+    @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+                          "Federated Identity feature not enabled")
+    def test_request_scoped_token(self):
+        self._test_request_scoped_token()