Merge "Drop MANIFEST.in"
diff --git a/barbican_tempest_plugin/clients.py b/barbican_tempest_plugin/clients.py
index 078f383..9c009ba 100644
--- a/barbican_tempest_plugin/clients.py
+++ b/barbican_tempest_plugin/clients.py
@@ -12,14 +12,22 @@
# License for the specific language governing permissions and limitations under
# the License.
+from tempest import clients
+from tempest.common import credentials_factory as common_creds
from tempest import config
-from tempest.lib.services import clients
-
+from tempest.lib.services import clients as cli
CONF = config.CONF
+ADMIN_CREDS = common_creds.get_configured_admin_credentials()
-class Clients(clients.ServiceClients):
+
+class Manager(clients.Manager):
+ def __init__(self, credentials=ADMIN_CREDS):
+ super(Manager, self).__init__(credentials)
+
+
+class Clients(cli.ServiceClients):
"""Tempest stable service clients and loaded plugins service clients"""
def __init__(self, credentials, service=None):
diff --git a/barbican_tempest_plugin/tests/api/test_consumers.py b/barbican_tempest_plugin/tests/api/test_consumers.py
index bd11cc8..606ae0e 100644
--- a/barbican_tempest_plugin/tests/api/test_consumers.py
+++ b/barbican_tempest_plugin/tests/api/test_consumers.py
@@ -12,12 +12,15 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib import decorators
+
from barbican_tempest_plugin.tests.api import base
class ConsumersTest(base.BaseKeyManagerTest):
"""Containers API tests."""
+ @decorators.idempotent_id('7d46a170-6b3b-4f4d-903a-b29aebb93289')
def test_add_delete_consumers_in_container(self):
# Create a container to test against
body = self.create_container(
diff --git a/barbican_tempest_plugin/tests/api/test_containers.py b/barbican_tempest_plugin/tests/api/test_containers.py
index 7f19a57..1c2a6cc 100644
--- a/barbican_tempest_plugin/tests/api/test_containers.py
+++ b/barbican_tempest_plugin/tests/api/test_containers.py
@@ -12,12 +12,15 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib import decorators
+
from barbican_tempest_plugin.tests.api import base
class ContainersTest(base.BaseKeyManagerTest):
"""Containers API tests."""
+ @decorators.idempotent_id('2e13d4bb-54de-463a-a358-0fb9a221d8f3')
def test_create_list_delete_empty_container(self):
# Create a container to test against.
body = self.create_container(type="generic", name="empty-container")
@@ -61,6 +64,7 @@
# Leave the container behind to get cleaned up by infra.
+ @decorators.idempotent_id('af10a78d-b1f8-440d-8b89-639861f16fd0')
def test_add_to_delete_from_container(self):
# Create a container to test against.
body = self.create_container(type="generic", name="test-container")
diff --git a/barbican_tempest_plugin/tests/api/test_orders.py b/barbican_tempest_plugin/tests/api/test_orders.py
index fa76516..de8791b 100644
--- a/barbican_tempest_plugin/tests/api/test_orders.py
+++ b/barbican_tempest_plugin/tests/api/test_orders.py
@@ -12,12 +12,15 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib import decorators
+
from barbican_tempest_plugin.tests.api import base
class OrdersTest(base.BaseKeyManagerTest):
"""Orders API tests."""
+ @decorators.idempotent_id('077c1729-1950-4e62-a29c-daba4aa186ad')
def test_create_list_delete_orders(self):
# Confirm that there are no orders
body = self.order_client.list_orders()
diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py
index 882fbb1..cde33e3 100644
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@@ -15,6 +15,7 @@
from barbican_tempest_plugin.tests.api import base
from tempest import config
+from tempest.lib import decorators
CONF = config.CONF
@@ -22,6 +23,7 @@
class QuotasTest(base.BaseKeyManagerTest):
"""Quotas API tests."""
+ @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
def test_create_get_delete_quota(self):
# Verify the default quota settings
body = self.quota_client.get_default_project_quota()
diff --git a/barbican_tempest_plugin/tests/api/test_secret_metadata.py b/barbican_tempest_plugin/tests/api/test_secret_metadata.py
index 5c4cd36..2c09f29 100644
--- a/barbican_tempest_plugin/tests/api/test_secret_metadata.py
+++ b/barbican_tempest_plugin/tests/api/test_secret_metadata.py
@@ -13,11 +13,14 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib import decorators
+
from barbican_tempest_plugin.tests.api import base
class SecretMetadataTest(base.BaseKeyManagerTest):
"""Metadata API test"""
+ @decorators.idempotent_id('2b0c1707-afc3-4674-a6c6-4dc42f318117')
def test_secret_metadata(self):
# Create a secret
sec = self.create_secret()
diff --git a/barbican_tempest_plugin/tests/api/test_secrets.py b/barbican_tempest_plugin/tests/api/test_secrets.py
index 39dae9d..da2afcb 100644
--- a/barbican_tempest_plugin/tests/api/test_secrets.py
+++ b/barbican_tempest_plugin/tests/api/test_secrets.py
@@ -22,16 +22,20 @@
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from tempest.lib import decorators
+
from barbican_tempest_plugin.tests.api import base
class SecretsTest(base.BaseKeyManagerTest):
"""Secrets API tests."""
+ @decorators.idempotent_id('d5fb4ae4-c418-4405-9701-95fc6877aeb9')
def test_create_delete_empty_secret(self):
sec = self.create_secret()
uuid = base._get_uuid(sec['secret_ref'])
self.delete_secret(uuid)
+ @decorators.idempotent_id('9aee2ad3-5b61-4451-8ccc-a727bbe4618a')
def test_create_delete_symmetric_key(self):
password = b"password"
salt = os.urandom(16)
@@ -50,6 +54,7 @@
uuid = base._get_uuid(sec['secret_ref'])
self.delete_secret(uuid)
+ @decorators.idempotent_id('79ec555d-215d-4006-bcf0-ab4c6cb0b9ff')
def test_list_secrets(self):
# Create two secrets
self.create_secret(name='secret_1')
@@ -64,6 +69,7 @@
secrets = resp['secrets']
self.assertEqual('secret_2', secrets[0]['name'])
+ @decorators.idempotent_id('f5608620-f1f7-45a5-ac0a-e1c17d1f2f42')
def test_get_secret_metadata(self):
secret = self.create_secret()
uuid = base._get_uuid(secret['secret_ref'])
@@ -71,6 +77,7 @@
self.assertEqual(uuid, base._get_uuid(resp['secret_ref']))
self.delete_secret(uuid)
+ @decorators.idempotent_id('c5caa619-1e43-4724-8d94-a61ff7025a07')
def test_get_and_put_payload(self):
# Create secret without payload
secret = self.create_secret()
diff --git a/barbican_tempest_plugin/tests/base.py b/barbican_tempest_plugin/tests/base.py
index 1f97635..600ba80 100644
--- a/barbican_tempest_plugin/tests/base.py
+++ b/barbican_tempest_plugin/tests/base.py
@@ -12,7 +12,7 @@
# License for the specific language governing permissions and limitations
# under the License.
-from oslotest import base
+from tempest.lib import base
class TestCase(base.BaseTestCase):
diff --git a/barbican_tempest_plugin/tests/scenario/barbican_manager.py b/barbican_tempest_plugin/tests/scenario/barbican_manager.py
new file mode 100644
index 0000000..c279f04
--- /dev/null
+++ b/barbican_tempest_plugin/tests/scenario/barbican_manager.py
@@ -0,0 +1,158 @@
+# Copyright 2017 Johns Hopkins Applied Physics Lab
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import base64
+from datetime import datetime
+from datetime import timedelta
+import os
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import serialization
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+
+from oslo_log import log as logging
+from tempest import config
+from tempest.scenario import manager as mgr
+
+from barbican_tempest_plugin import clients
+
+CONF = config.CONF
+LOG = logging.getLogger(__name__)
+
+
+class BarbicanScenarioTest(mgr.ScenarioTest):
+
+ credentials = ('primary', )
+ manager = clients.Manager()
+
+ def setUp(self):
+ super(BarbicanScenarioTest, self).setUp()
+ self.img_file = os.path.join(CONF.scenario.img_dir,
+ CONF.scenario.img_file)
+ self.private_key = rsa.generate_private_key(public_exponent=3,
+ key_size=1024,
+ backend=default_backend())
+ self.signing_certificate = self._create_self_signed_certificate(
+ self.private_key
+ )
+ self.signing_cert_uuid = self._store_cert(
+ self.signing_certificate
+ )
+
+ @classmethod
+ def skip_checks(cls):
+ super(BarbicanScenarioTest, cls).skip_checks()
+ if not CONF.service_available.barbican:
+ raise cls.skipException('Barbican is not enabled.')
+
+ @classmethod
+ def setup_clients(cls):
+ super(BarbicanScenarioTest, cls).setup_clients()
+
+ os = getattr(cls, 'os_%s' % cls.credentials[0])
+ cls.consumer_client = os.secret_v1.ConsumerClient(
+ service='key-manager'
+ )
+ cls.container_client = os.secret_v1.ContainerClient(
+ service='key-manager'
+ )
+ cls.order_client = os.secret_v1.OrderClient(service='key-manager')
+ cls.secret_client = os.secret_v1.SecretClient(service='key-manager')
+ cls.secret_metadata_client = os.secret_v1.SecretMetadataClient(
+ service='key-manager'
+ )
+
+ def _get_uuid(self, href):
+ return href.split('/')[-1]
+
+ def _create_self_signed_certificate(self, private_key):
+ issuer = x509.Name([
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"Test Certificate"),
+ ])
+ cert_builder = x509.CertificateBuilder(
+ issuer_name=issuer, subject_name=issuer,
+ public_key=private_key.public_key(),
+ serial_number=x509.random_serial_number(),
+ not_valid_before=datetime.utcnow(),
+ not_valid_after=datetime.utcnow() + timedelta(days=10)
+ )
+ cert = cert_builder.sign(private_key,
+ hashes.SHA256(),
+ default_backend())
+ return cert
+
+ def _store_cert(self, cert):
+ pem_encoding = cert.public_bytes(encoding=serialization.Encoding.PEM)
+ cert_b64 = base64.b64encode(pem_encoding)
+ expire_time = (datetime.utcnow() + timedelta(days=5))
+ LOG.debug("Uploading certificate to barbican")
+ result = self.secret_client.create_secret(
+ expiration=expire_time.isoformat(), algorithm="rsa",
+ secret_type="certificate",
+ payload_content_type="application/octet-stream",
+ payload_content_encoding="base64",
+ payload=cert_b64
+ )
+ LOG.debug("Certificate uploaded to barbican (%s)", result)
+ return self._get_uuid(result['secret_ref'])
+
+ def _sign_image(self, image_file):
+ LOG.debug("Creating signature for image data")
+ signer = self.private_key.signer(
+ padding.PSS(
+ mgf=padding.MGF1(hashes.SHA256()),
+ salt_length=padding.PSS.MAX_LENGTH
+ ),
+ hashes.SHA256()
+ )
+ chunk_bytes = 8192
+ with open(image_file, 'rb') as f:
+ chunk = f.read(chunk_bytes)
+ while len(chunk) > 0:
+ signer.update(chunk)
+ chunk = f.read(chunk_bytes)
+ signature = signer.finalize()
+ signature_b64 = base64.b64encode(signature)
+ return signature_b64
+
+ def sign_and_upload_image(self):
+ img_signature = self._sign_image(self.img_file)
+
+ img_properties = {
+ 'img_signature': img_signature,
+ 'img_signature_certificate_uuid': self.signing_cert_uuid,
+ 'img_signature_key_type': 'RSA-PSS',
+ 'img_signature_hash_method': 'SHA-256',
+ }
+
+ LOG.debug("Uploading image with signature metadata properties")
+ img_uuid = self._image_create(
+ 'signed_img',
+ CONF.scenario.img_container_format,
+ self.img_file,
+ disk_format=CONF.scenario.img_disk_format,
+ properties=img_properties
+ )
+ LOG.debug("Uploaded image %s", img_uuid)
+
+ return img_uuid
diff --git a/barbican_tempest_plugin/tests/scenario/test_image_signing.py b/barbican_tempest_plugin/tests/scenario/test_image_signing.py
new file mode 100644
index 0000000..9070578
--- /dev/null
+++ b/barbican_tempest_plugin/tests/scenario/test_image_signing.py
@@ -0,0 +1,83 @@
+# Copyright (c) 2017 Johns Hopkins University Applied Physics Laboratory
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_log import log as logging
+from tempest import config
+from tempest import exceptions
+from tempest.lib import decorators
+from tempest import test
+
+from barbican_tempest_plugin.tests.scenario import barbican_manager
+
+CONF = config.CONF
+LOG = logging.getLogger(__name__)
+
+
+class ImageSigningTest(barbican_manager.BarbicanScenarioTest):
+
+ @decorators.idempotent_id('4343df3c-5553-40ea-8705-0cce73b297a9')
+ @test.services('compute', 'image')
+ def test_signed_image_upload_and_boot(self):
+ """Test that Nova boots a signed image.
+
+ The test follows these steps:
+ * Create an asymmetric keypair
+ * Sign an image file with the private key
+ * Create a certificate with the public key
+ * Store the certificate in Barbican
+ * Store the signed image in Glance
+ * Boot the signed image
+ * Confirm the instance changes state to Active
+ """
+ img_uuid = self.sign_and_upload_image()
+
+ LOG.debug("Booting server with signed image %s", img_uuid)
+ instance = self.create_server(name='signed_img_server',
+ image_id=img_uuid,
+ wait_until='ACTIVE')
+ self.servers_client.delete_server(instance['id'])
+
+ @decorators.idempotent_id('74f022d6-a6ef-4458-96b7-541deadacf99')
+ @test.services('compute', 'image')
+ def test_signed_image_upload_boot_failure(self):
+ """Test that Nova refuses to boot an incorrectly signed image.
+
+ If the create_server call succeeds instead of throwing an
+ exception, it is likely that signature verification is not
+ turned on. To turn on signature verification, set
+ verify_glance_signatures=True in the nova configuration
+ file under the [glance] section.
+
+ The test follows these steps:
+ * Create an asymmetric keypair
+ * Sign an image file with the private key
+ * Create a certificate with the public key
+ * Store the certificate in Barbican
+ * Store the signed image in Glance
+ * Modify the signature to be incorrect
+ * Attempt to boot the incorrectly signed image
+ * Confirm an exception is thrown
+ """
+ img_uuid = self.sign_and_upload_image()
+
+ LOG.debug("Modifying image signature to be incorrect")
+ metadata = {'img_signature': 'fake_signature'}
+ self.compute_images_client.update_image_metadata(
+ img_uuid, metadata
+ )
+
+ self.assertRaisesRegex(exceptions.BuildErrorException,
+ "Signature verification for the image failed",
+ self.create_server,
+ image_id=img_uuid)
diff --git a/barbican_tempest_plugin/tests/test_barbican_tempest_plugin.py b/barbican_tempest_plugin/tests/test_barbican_tempest_plugin.py
index dc78b9f..9b542c5 100644
--- a/barbican_tempest_plugin/tests/test_barbican_tempest_plugin.py
+++ b/barbican_tempest_plugin/tests/test_barbican_tempest_plugin.py
@@ -19,10 +19,13 @@
Tests for `barbican_tempest_plugin` module.
"""
+from tempest.lib import decorators
+
from barbican_tempest_plugin.tests import base
class TestBarbican_tempest_plugin(base.TestCase):
+ @decorators.idempotent_id('8abf6dec-37b9-43ca-95cf-b8ebecda3c8d')
def test_something(self):
pass
diff --git a/test-requirements.txt b/test-requirements.txt
index 85ae707..2bf9f2e 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -7,7 +7,6 @@
python-subunit>=0.0.18 # Apache-2.0/BSD
sphinx>=1.2.1,!=1.3b1,<1.4 # BSD
oslosphinx>=4.7.0 # Apache-2.0
-oslotest>=1.10.0 # Apache-2.0
testrepository>=0.0.18 # Apache-2.0/BSD
testscenarios>=0.4 # Apache-2.0/BSD
testtools>=1.4.0 # MIT
diff --git a/tools/pre_test_hook.sh b/tools/pre_test_hook.sh
index 806ca40..2640433 100755
--- a/tools/pre_test_hook.sh
+++ b/tools/pre_test_hook.sh
@@ -11,7 +11,16 @@
# Here we can set some configurations for local.conf
# for example, to pass some config options directly to .conf files
+# For image signature verification tests
echo -e '[[post-config|$NOVA_CONF]]' >> $LOCALCONF_PATH
echo -e '[glance]' >> $LOCALCONF_PATH
echo -e 'verify_glance_signatures = True' >> $LOCALCONF_PATH
+# Allow dynamically created tempest users to create secrets
+# in barbican
+echo -e '[[test-config|$TEMPEST_CONFIG]]' >> $LOCALCONF_PATH
+echo -e '[auth]' >> $LOCALCONF_PATH
+echo -e 'tempest_roles=creator' >> $LOCALCONF_PATH
+# Glance v1 doesn't do signature verification on image upload
+echo -e '[image-feature-enabled]' >> $LOCALCONF_PATH
+echo -e 'api_v1=False' >> $LOCALCONF_PATH
diff --git a/tox.ini b/tox.ini
index 90ca6bb..55a2b65 100644
--- a/tox.ini
+++ b/tox.ini
@@ -13,7 +13,8 @@
commands = python setup.py test --slowest --testr-args='{posargs}'
[testenv:pep8]
-commands = flake8 {posargs}
+commands =
+ flake8 {posargs}
[testenv:venv]
commands = {posargs}