From 702f0befcea128ac2bc95bad787d592056f18ad4 Mon Sep 17 00:00:00 2001 From: Katarina Strenkova Date: Mon, 7 Aug 2023 12:53:28 +0000 Subject: [PATCH] Skip failing tests affected by minimum password age Some identity api tests are failing, when keystone parameter minimum_password_age is set to value greater than 0. It causes inability to update user's password more than once per test suite. As in this test suite it is required total of four times, this patch suggests skipping these tests to avoid complicated workaround. This bug has been discussed in several patches [1][2]. Additionaly, config option for user_minimum_password_age is added into tempest/config.py, to allow users to work with this keystone parameter. [1] https://review.opendev.org/c/openstack/tempest/+/806671 [2] https://review.opendev.org/c/openstack/tempest/+/838726 Related-Bug: #1946459 Change-Id: I418e4001b0aa27f10a78f3490cc233293c30c274 --- ...fig-opt-minimum-password-age-426e9d225f743137.yaml | 8 ++++++++ tempest/api/identity/v3/test_users.py | 8 ++++++++ tempest/config.py | 11 +++++++++-- 3 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/add-keystone-config-opt-minimum-password-age-426e9d225f743137.yaml diff --git a/releasenotes/notes/add-keystone-config-opt-minimum-password-age-426e9d225f743137.yaml b/releasenotes/notes/add-keystone-config-opt-minimum-password-age-426e9d225f743137.yaml new file mode 100644 index 0000000000..06f993e140 --- /dev/null +++ b/releasenotes/notes/add-keystone-config-opt-minimum-password-age-426e9d225f743137.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Adding a new config option `[identity]/user_minimum_password_age` + which allows to specify the number of days that a password must + be used before the user can change it. For this option to take + effect, identity-feature-enabled.security_compliance must be set + to True. diff --git a/tempest/api/identity/v3/test_users.py b/tempest/api/identity/v3/test_users.py index b95bd759ad..53814ad077 100644 --- a/tempest/api/identity/v3/test_users.py +++ b/tempest/api/identity/v3/test_users.py @@ -88,6 +88,10 @@ class IdentityV3UsersTest(base.BaseIdentityV3Test): 'Skipped because environment has an ' 'immutable user source and solely ' 'provides read-only access to users.') + @testtools.skipIf(CONF.identity.user_minimum_password_age > 0, + 'Skipped because password cannot ' + 'be changed immediately, resulting ' + 'in failed password update.') def test_user_update_own_password(self): """Test updating user's own password""" old_pass = self.creds.password @@ -116,6 +120,10 @@ class IdentityV3UsersTest(base.BaseIdentityV3Test): 'Skipped because environment has an ' 'immutable user source and solely ' 'provides read-only access to users.') + @testtools.skipIf(CONF.identity.user_minimum_password_age > 0, + 'Skipped because password cannot ' + 'be changed immediately, resulting ' + 'in failed password update.') def test_password_history_check_self_service_api(self): """Test checking password changing history""" old_pass = self.creds.password diff --git a/tempest/config.py b/tempest/config.py index a174fddb55..5107726077 100644 --- a/tempest/config.py +++ b/tempest/config.py @@ -199,8 +199,15 @@ IdentityGroup = [ "default value is 0 meaning disabling this feature. " "NOTE: This config option value must be same as " "keystone.conf: security_compliance.unique_last_password_" - "count otherwise test might fail" - ), + "count otherwise test might fail"), + cfg.IntOpt('user_minimum_password_age', + default=0, + help="The number of days that a password must be used before " + "the user can change it. This only takes effect when " + "identity-feature-enabled.security_compliance is set to " + "'True'. For more details, refer to keystone config " + "options " + "keystone.conf:security_compliance.minimum_password_age.") ] service_clients_group = cfg.OptGroup(name='service-clients',