Merge "The Python 3.6 and Python 3.7 Support has been dropped since zed"
diff --git a/.zuul.yaml b/.zuul.yaml
index d1c2785..d60cc74 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -7,6 +7,7 @@
jobs:
- barbican-tempest-plugin-simple-crypto
- barbican-tempest-plugin-simple-crypto-secure-rbac
+ - barbican-tempest-plugin-simple-crypto-zed
- barbican-tempest-plugin-simple-crypto-yoga
- barbican-tempest-plugin-simple-crypto-xena
- barbican-tempest-plugin-simple-crypto-wallaby
@@ -48,12 +49,76 @@
api_v1: False
ephemeral_storage_encryption:
enabled: True
+ key_manager:
+ min_microversion: '1.0'
+ max_microversion: latest
tox_envlist: all
tempest_test_regex: barbican
tempest_plugins:
- barbican-tempest-plugin
- job:
+ name: barbican-tempest-plugin-simple-crypto-zed
+ parent: barbican-tempest-plugin-simple-crypto
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/zed
+ vars:
+ devstack_local_conf:
+ test-config:
+ $TEMPEST_CONFIG:
+ key_manager:
+ min_microversion: '1.0'
+ max_microversion: '1.1'
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-yoga
+ parent: barbican-tempest-plugin-simple-crypto
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/yoga
+ vars: µversion_v1_0
+ devstack_local_conf:
+ test-config:
+ $TEMPEST_CONFIG:
+ key_manager:
+ min_microversion: '1.0'
+ max_microversion: '1.0'
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-xena
+ parent: barbican-tempest-plugin-simple-crypto
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/xena
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-wallaby
+ parent: barbican-tempest-plugin-simple-crypto
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/wallaby
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-victoria
+ parent: barbican-tempest-plugin-simple-crypto
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/victoria
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-ussuri
+ parent: barbican-tempest-plugin-simple-crypto
+ nodeset: openstack-single-node-bionic
+ override-checkout: stable/ussuri
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-train
+ parent: barbican-tempest-plugin-simple-crypto
+ nodeset: openstack-single-node-bionic
+ override-checkout: stable/train
+ vars: *microversion_v1_0
+
+- job:
name: barbican-tempest-plugin-simple-crypto-secure-rbac
parent: barbican-tempest-plugin-simple-crypto
vars:
@@ -65,23 +130,31 @@
enforce_scope: True
test-config:
$TEMPEST_CONFIG:
+ auth:
+ tempest_roles: member
barbican_rbac_scope_verification:
enforce_scope: True
- job:
- name: barbican-tempest-plugin-simple-crypto-yoga
- parent: barbican-tempest-plugin-simple-crypto
+ name: barbican-tempest-plugin-simple-crypto-secure-rbac-yoga
+ parent: barbican-tempest-plugin-simple-crypto-secure-rbac
+ nodeset: openstack-single-node-focal
override-checkout: stable/yoga
+ vars: *microversion_v1_0
- job:
- name: barbican-tempest-plugin-simple-crypto-xena
- parent: barbican-tempest-plugin-simple-crypto
+ name: barbican-tempest-plugin-simple-crypto-secure-rbac-xena
+ parent: barbican-tempest-plugin-simple-crypto-secure-rbac
+ nodeset: openstack-single-node-focal
override-checkout: stable/xena
+ vars: *microversion_v1_0
- job:
- name: barbican-tempest-plugin-simple-crypto-wallaby
- parent: barbican-tempest-plugin-simple-crypto
+ name: barbican-tempest-plugin-simple-crypto-secure-rbac-wallaby
+ parent: barbican-tempest-plugin-simple-crypto-secure-rbac
+ nodeset: openstack-single-node-focal
override-checkout: stable/wallaby
+ vars: *microversion_v1_0
- job:
name: barbican-tempest-plugin-simple-crypto-ipv6-only
@@ -89,6 +162,49 @@
required-projects: *barbican-tempest-reqs
vars: *barbican-tempest-vars
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-ipv6-only-yoga
+ parent: barbican-tempest-plugin-simple-crypto-ipv6-only
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/yoga
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-ipv6-only-xena
+ parent: barbican-tempest-plugin-simple-crypto-ipv6-only
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/xena
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-ipv6-only-wallaby
+ parent: barbican-tempest-plugin-simple-crypto-ipv6-only
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/wallaby
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-ipv6-only-victoria
+ parent: barbican-tempest-plugin-simple-crypto-ipv6-only
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/victoria
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-ipv6-only-ussuri
+ parent: barbican-tempest-plugin-simple-crypto-ipv6-only
+ nodeset: openstack-single-node-bionic
+ override-checkout: stable/ussuri
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-ipv6-only-train
+ parent: barbican-tempest-plugin-simple-crypto-ipv6-only
+ nodeset: openstack-single-node-bionic
+ override-checkout: stable/train
+ vars: *microversion_v1_0
+
- job:
name: barbican-tempest-plugin-simple-crypto-castellan-src
parent: barbican-tempest-plugin-simple-crypto
diff --git a/barbican_tempest_plugin/config.py b/barbican_tempest_plugin/config.py
index 7b79cb5..da78d15 100644
--- a/barbican_tempest_plugin/config.py
+++ b/barbican_tempest_plugin/config.py
@@ -20,6 +20,32 @@
help="Whether or not barbican is expected to be "
"available")
+key_manager_group = cfg.OptGroup(
+ name='key_manager',
+ title='Key Manager (Barbican) service options'
+)
+
+KeyManagerOpts = [
+ cfg.StrOpt('min_microversion',
+ default=None,
+ help="Lower version of the test target microversion range. "
+ "The format is 'X.Y', where 'X' and 'Y' are int values. "
+ "Tempest selects tests based on the range between "
+ "min_microversion and max_microversion. "
+ "If both values are not specified, Tempest avoids tests "
+ "which require a microversion. Valid values are string "
+ "with format 'X.Y' or string 'latest'"),
+ cfg.StrOpt('max_microversion',
+ default=None,
+ help="Upper version of the test target microversion range. "
+ "The format is 'X.Y', where 'X' and 'Y' are int values. "
+ "Tempest selects tests based on the range between "
+ "min_microversion and max_microversion. "
+ "If both values are not specified, Tempest avoids tests "
+ "which require a microversion. Valid values are string "
+ "with format 'X.Y' or string 'latest'")
+]
+
barbican_tempest_group = cfg.OptGroup(
name='barbican_tempest',
title='Key Manager (Barbican) service options'
diff --git a/barbican_tempest_plugin/plugin.py b/barbican_tempest_plugin/plugin.py
index b829a05..4649e85 100644
--- a/barbican_tempest_plugin/plugin.py
+++ b/barbican_tempest_plugin/plugin.py
@@ -33,6 +33,10 @@
conf.register_opt(project_config.service_option,
group='service_available')
+ conf.register_group(project_config.key_manager_group)
+ conf.register_opts(project_config.KeyManagerOpts,
+ project_config.key_manager_group)
+
conf.register_group(project_config.barbican_tempest_group)
conf.register_opts(project_config.BarbicanGroupOpts,
project_config.barbican_tempest_group)
@@ -69,4 +73,13 @@
'TransportKeyClient'
],
}
- return [v1_params]
+ v1_1_params = {
+ 'name': 'secret_v1_1',
+ 'service_version': 'secret.v1_1',
+ 'module_path': 'barbican_tempest_plugin.services.key_manager.v1_1',
+ 'client_names': [
+ 'SecretConsumerClient',
+ 'VersionClient'
+ ],
+ }
+ return [v1_params, v1_1_params]
diff --git a/barbican_tempest_plugin/services/key_manager/json/base.py b/barbican_tempest_plugin/services/key_manager/json/base.py
index 97323a3..dedc0fd 100644
--- a/barbican_tempest_plugin/services/key_manager/json/base.py
+++ b/barbican_tempest_plugin/services/key_manager/json/base.py
@@ -13,14 +13,24 @@
_DEFAULT_SERVICE_TYPE = 'key-manager'
+_MICROVERSION_HEADER = 'OpenStack-API-Version'
class BarbicanTempestClient(rest_client.RestClient):
+ _microversion = None
+
def __init__(self, *args, **kwargs):
kwargs['service'] = _DEFAULT_SERVICE_TYPE
super().__init__(*args, **kwargs)
+ def get_headers(self, accept_type=None, send_type=None):
+ headers = super().get_headers(accept_type, send_type)
+ if self._microversion:
+ headers[_MICROVERSION_HEADER] = \
+ f'{_DEFAULT_SERVICE_TYPE} {self._microversion}'
+ return headers
+
@classmethod
def ref_to_uuid(cls, href):
return href.split('/')[-1]
diff --git a/barbican_tempest_plugin/services/key_manager/v1_1/__init__.py b/barbican_tempest_plugin/services/key_manager/v1_1/__init__.py
new file mode 100644
index 0000000..1ee6b52
--- /dev/null
+++ b/barbican_tempest_plugin/services/key_manager/v1_1/__init__.py
@@ -0,0 +1,23 @@
+# Copyright (c) 2022 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+from barbican_tempest_plugin.services.key_manager.v1_1.secret_consumer_client \
+ import SecretConsumerClient # noqa: F401
+from barbican_tempest_plugin.services.key_manager.v1_1.version_client \
+ import VersionClient # noqa: F401
+
+__all__ = [
+ 'SecretConsumerClient'
+ 'VersionClient'
+]
diff --git a/barbican_tempest_plugin/services/key_manager/v1_1/secret_consumer_client.py b/barbican_tempest_plugin/services/key_manager/v1_1/secret_consumer_client.py
new file mode 100644
index 0000000..84d7c25
--- /dev/null
+++ b/barbican_tempest_plugin/services/key_manager/v1_1/secret_consumer_client.py
@@ -0,0 +1,53 @@
+# Copyright (c) 2022 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+import json
+
+from urllib import parse as urllib
+
+from tempest import config
+
+from barbican_tempest_plugin.services.key_manager.json import base
+
+
+CONF = config.CONF
+
+
+class SecretConsumerClient(base.BarbicanTempestClient):
+
+ _microversion = '1.1'
+
+ def list_consumers_in_secret(self, secret_id, **kwargs):
+ uri = "/v1/secrets/%s/consumers" % secret_id
+ if kwargs:
+ uri += "?%s" % urllib.urlencode(kwargs)
+
+ response, body = self.get(uri)
+ self.expected_success(200, response.status)
+ return json.loads(body.decode("utf-8"))
+
+ def add_consumer_to_secret(self, secret_id, **kwargs):
+ uri = "/v1/secrets/%s/consumers" % secret_id
+
+ response, body = self.post(uri, json.dumps(kwargs))
+ self.expected_success(200, response.status)
+ return json.loads(body.decode("utf-8"))
+
+ def delete_consumer_from_secret(self, secret_id, **kwargs):
+ uri = "/v1/secrets/%s/consumers" % secret_id
+
+ response, body = self.delete(uri, body=json.dumps(kwargs))
+ self.expected_success(200, response.status)
+ return json.loads(body.decode("utf-8"))
diff --git a/barbican_tempest_plugin/services/key_manager/v1_1/version_client.py b/barbican_tempest_plugin/services/key_manager/v1_1/version_client.py
new file mode 100644
index 0000000..248d4f0
--- /dev/null
+++ b/barbican_tempest_plugin/services/key_manager/v1_1/version_client.py
@@ -0,0 +1,23 @@
+# Copyright (c) 2022 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+from tempest import config
+
+from barbican_tempest_plugin.services.key_manager.json import base
+
+
+CONF = config.CONF
+
+
+class VersionClient(base.BarbicanTempestClient):
+ pass
diff --git a/barbican_tempest_plugin/tests/api/base.py b/barbican_tempest_plugin/tests/api/base.py
index 2599480..566f363 100644
--- a/barbican_tempest_plugin/tests/api/base.py
+++ b/barbican_tempest_plugin/tests/api/base.py
@@ -16,6 +16,7 @@
import functools
from tempest import config
+from tempest.lib.common import api_version_utils
from tempest import test
from barbican_tempest_plugin import clients
@@ -56,7 +57,8 @@
return decorator
-class BaseKeyManagerTest(test.BaseTestCase):
+class BaseKeyManagerTest(test.BaseTestCase,
+ api_version_utils.BaseMicroversionTest):
"""Base class for all api tests."""
# Why do I have to be an admin to create secrets? No idea...
@@ -65,6 +67,15 @@
created_objects = {}
@classmethod
+ def skip_checks(cls):
+ super().skip_checks()
+ api_version_utils.check_skip_with_microversion(
+ cls.min_microversion,
+ cls.max_microversion,
+ CONF.key_manager.min_microversion,
+ CONF.key_manager.max_microversion)
+
+ @classmethod
def setup_clients(cls):
super(BaseKeyManagerTest, cls).setup_clients()
os = getattr(cls, 'os_%s' % cls.credentials[0])
@@ -76,9 +87,11 @@
)
cls.order_client = os.secret_v1.OrderClient(service='key-manager')
cls.secret_client = os.secret_v1.SecretClient(service='key-manager')
+ cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient()
cls.secret_metadata_client = os.secret_v1.SecretMetadataClient(
service='key-manager'
)
+ cls.version_client = os.secret_v1_1.VersionClient()
os = getattr(cls, 'os_roles_%s' % cls.credentials[1][0])
cls.quota_client = os.secret_v1.QuotaClient(service='key-manager')
diff --git a/barbican_tempest_plugin/tests/api/test_secret_consumers.py b/barbican_tempest_plugin/tests/api/test_secret_consumers.py
new file mode 100644
index 0000000..8288cfd
--- /dev/null
+++ b/barbican_tempest_plugin/tests/api/test_secret_consumers.py
@@ -0,0 +1,101 @@
+# Copyright (c) 2022 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from barbican_tempest_plugin.tests.api import base
+
+
+class SecretConsumersTest(base.BaseKeyManagerTest):
+ """Secret Consumers API tests."""
+
+ min_microversion = '1.1'
+
+ @decorators.idempotent_id('07a47f8b-e454-4dd0-afb6-bfa12677cd8e')
+ def test_add_delete_consumers_in_secret(self):
+ # Create a secret to test against
+ sec = self.create_secret(name='secret_1')
+ secret_id = self.secret_consumer_client.ref_to_uuid(sec['secret_ref'])
+
+ # Confirm that the secret has no consumers
+ body = self.secret_consumer_client.list_consumers_in_secret(secret_id)
+ self.assertEqual(0, body.get('total'))
+ self.assertEmpty(body.get('consumers'))
+
+ # Add some consumers to the secret
+ body = self.secret_consumer_client.add_consumer_to_secret(
+ secret_id,
+ service="service1",
+ resource_id="resource_id1",
+ resource_type="resource_type1"
+ )
+ self.assertEqual(
+ secret_id,
+ self.secret_consumer_client.ref_to_uuid(body.get('secret_ref'))
+ )
+ self.assertEqual(1, len(body.get('consumers')))
+ body = self.secret_consumer_client.add_consumer_to_secret(
+ secret_id,
+ service="service2",
+ resource_id="resource_id2",
+ resource_type="resource_type2"
+ )
+ self.assertEqual(
+ secret_id,
+ self.secret_consumer_client.ref_to_uuid(body.get('secret_ref'))
+ )
+ self.assertEqual(2, len(body.get('consumers')))
+
+ # Confirm that the consumers are in the secret
+ body = self.secret_consumer_client.list_consumers_in_secret(secret_id)
+ self.assertEqual(2, body.get('total'))
+ self.assertEqual(2, len(body.get('consumers')))
+ for consumer in body.get('consumers'):
+ self.assertIn(consumer.get('service'), ("service1", "service2"))
+ self.assertIn(consumer.get('resource_id'),
+ ("resource_id1", "resource_id2"))
+ self.assertIn(consumer.get('resource_type'),
+ ("resource_type1", "resource_type2"))
+
+ # Remove the consumers from the secret
+ body = self.secret_consumer_client.delete_consumer_from_secret(
+ secret_id,
+ service="service1",
+ resource_id="resource_id1",
+ resource_type="resource_type1"
+ )
+ self.assertEqual(
+ secret_id,
+ self.secret_consumer_client.ref_to_uuid(body.get('secret_ref'))
+ )
+ self.assertEqual(1, len(body.get('consumers')))
+ body = self.secret_consumer_client.delete_consumer_from_secret(
+ secret_id,
+ service="service2",
+ resource_id="resource_id2",
+ resource_type="resource_type2"
+ )
+ self.assertEqual(
+ secret_id,
+ self.secret_consumer_client.ref_to_uuid(body.get('secret_ref'))
+ )
+ self.assertEqual(0, len(body.get('consumers')))
+
+ # Confirm that the secret has no consumers
+ body = self.secret_consumer_client.list_consumers_in_secret(secret_id)
+ self.assertEqual(0, body.get('total'))
+ self.assertEqual(0, len(body.get('consumers')))
+
+ # Clean up the secret
+ self.delete_secret(secret_id)
diff --git a/barbican_tempest_plugin/tests/rbac/v1/base.py b/barbican_tempest_plugin/tests/rbac/v1/base.py
index 98371fa..0e7a774 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/base.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/base.py
@@ -22,9 +22,11 @@
from tempest import clients
from tempest import config
from tempest.lib import auth
+from tempest.lib.common import api_version_utils
from tempest.lib.common.utils import data_utils
from tempest import test
+
CONF = config.CONF
RESOURCE_TYPES = ['container', 'order', 'quota', 'secret']
@@ -40,7 +42,8 @@
return base64.b64encode(kdf.derive(password))
-class BarbicanV1RbacBase(test.BaseTestCase):
+class BarbicanV1RbacBase(test.BaseTestCase,
+ api_version_utils.BaseMicroversionTest):
identity_version = 'v3'
_created_projects = None
@@ -63,6 +66,11 @@
if not CONF.barbican_rbac_scope_verification.enforce_scope:
raise cls.skipException("enforce_scope is not enabled for "
"barbican, skipping RBAC tests")
+ api_version_utils.check_skip_with_microversion(
+ cls.min_microversion,
+ cls.max_microversion,
+ CONF.key_manager.min_microversion,
+ CONF.key_manager.max_microversion)
@classmethod
def setup_credentials(cls):
@@ -131,6 +139,8 @@
cls.admin_secret_client = adm.secret_v1.SecretClient()
cls.admin_secret_metadata_client = adm.secret_v1.SecretMetadataClient()
cls.admin_consumer_client = adm.secret_v1.ConsumerClient()
+ cls.admin_secret_consumer_client = \
+ adm.secret_v1_1.SecretConsumerClient()
cls.admin_container_client = adm.secret_v1.ContainerClient()
cls.admin_order_client = adm.secret_v1.OrderClient(
secret_client=cls.admin_secret_client,
@@ -143,6 +153,8 @@
cls.secret_client = member.secret_v1.SecretClient()
cls.secret_metadata_client = member.secret_v1.SecretMetadataClient()
cls.member_consumer_client = member.secret_v1.ConsumerClient()
+ cls.member_secret_consumer_client = \
+ member.secret_v1_1.SecretConsumerClient()
cls.container_client = member.secret_v1.ContainerClient()
cls.order_client = member.secret_v1.OrderClient(
secret_client=cls.secret_client,
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py b/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py
index e32a397..bdd56b2 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py
@@ -21,6 +21,7 @@
from barbican_tempest_plugin.tests.rbac.v1 import base as rbac_base
+
CONF = config.CONF
@@ -209,7 +210,40 @@
raise NotImplementedError
-class ProjectReaderTests(rbac_base.BarbicanV1RbacBase, BarbicanV1RbacSecrets):
+class BarbicanV1_1SecretConsumers:
+
+ @abc.abstractmethod
+ def test_list_secret_consumers(self):
+ """Test list_secret_consumers policy
+
+ Testing: GET /v1/secrets/{secret-id}/consumers
+ This test must check:
+ * whether the persona can list a secrets consumers
+ """
+ raise NotImplementedError
+
+ @abc.abstractmethod
+ def test_create_secret_consumer(self):
+ """Test create_secret_consumer policy
+
+ Testing: POST /v1/secrets/{secret-id}/consumers
+ This test must check:
+ * whether the persona can create a consumer of the secret
+ """
+ raise NotImplementedError
+
+ @abc.abstractmethod
+ def test_delete_secret_consumer(self):
+ """Test delete_secret_consumer policy
+
+ Testing: DELETE /v1/secrets/{secret-id}/consumers
+ This test must check:
+ * whether the persona can delete a consumer of the secret
+ """
+ raise NotImplementedError
+
+
+class ProjectReaderBase(rbac_base.BarbicanV1RbacBase):
@classmethod
def setup_clients(cls):
@@ -233,6 +267,9 @@
}
}
+
+class ProjectReaderTests(ProjectReaderBase, BarbicanV1RbacSecrets):
+
def test_create_secret(self):
"""Test add_secret policy."""
self.assertRaises(exceptions.Forbidden, self.client.create_secret)
@@ -406,6 +443,49 @@
self.other_secret_id)
+class ProjectReaderV1_1Tests(ProjectReaderBase, BarbicanV1_1SecretConsumers):
+
+ min_microversion = '1.1'
+
+ @classmethod
+ def setup_clients(cls):
+ super().setup_clients()
+ cls.secret_consumer_client = \
+ cls.os_project_reader.secret_v1_1.SecretConsumerClient()
+
+ def setUp(self):
+ super().setUp()
+ self.test_consumer = {
+ "service": "service1",
+ "resource_id": "resource_id1",
+ "resource_type": "resource_type1"
+ }
+ self.member_secret_consumer_client.add_consumer_to_secret(
+ self.secret_id,
+ **self.test_consumer
+ )
+
+ def test_list_secret_consumers(self):
+ self.assertRaises(
+ exceptions.Forbidden,
+ self.secret_consumer_client.list_consumers_in_secret,
+ self.secret_id)
+
+ def test_create_secret_consumer(self):
+ self.assertRaises(
+ exceptions.Forbidden,
+ self.secret_consumer_client.add_consumer_to_secret,
+ self.secret_id,
+ **self.test_consumer)
+
+ def test_delete_secret_consumer(self):
+ self.assertRaises(
+ exceptions.Forbidden,
+ self.secret_consumer_client.delete_consumer_from_secret,
+ self.secret_id,
+ **self.test_consumer)
+
+
class ProjectMemberTests(ProjectReaderTests):
@classmethod
@@ -489,9 +569,16 @@
self.assertIn("read", acl.keys())
def test_put_secret_acl(self):
+ self.assertRaises(
+ exceptions.Forbidden,
+ self.other_secret_client.get_secret_metadata,
+ self.secret_id
+ )
_ = self.client.put_secret_acl(self.secret_id, self.valid_acl)
acl = self.client.get_secret_acl(self.secret_id)
self.assertIn(self.other_secret_client.user_id, acl['read']['users'])
+ resp = self.other_secret_client.get_secret_metadata(self.secret_id)
+ self.assertIn(self.secret_id, resp['secret_ref'])
def test_patch_secret_acl(self):
_ = self.client.put_secret_acl(self.secret_id, self.valid_acl)
@@ -518,6 +605,40 @@
self.assertNotIn('users', acl['read'].keys())
+class ProjectMemberV1_1Tests(ProjectReaderV1_1Tests):
+
+ @classmethod
+ def setup_clients(cls):
+ super().setup_clients()
+ cls.secret_consumer_client = cls.member_secret_consumer_client
+
+ def test_list_secret_consumers(self):
+ resp = self.secret_consumer_client.list_consumers_in_secret(
+ self.secret_id
+ )
+ self.assertEqual(1, resp['total'])
+
+ def test_create_secret_consumer(self):
+ second_consumer = {
+ 'service': 'service2',
+ 'resource_id': 'resource_id2',
+ 'resource_type': 'resource_type2'
+ }
+
+ resp = self.secret_consumer_client.add_consumer_to_secret(
+ self.secret_id,
+ **second_consumer)
+
+ self.assertEqual(2, len(resp['consumers']))
+
+ def test_delete_secret_consumer(self):
+ resp = self.secret_consumer_client.delete_consumer_from_secret(
+ self.secret_id,
+ **self.test_consumer)
+
+ self.assertEqual(0, len(resp['consumers']))
+
+
class ProjectAdminTests(ProjectMemberTests):
@classmethod
def setup_clients(cls):
@@ -525,6 +646,23 @@
cls.client = cls.admin_secret_client
+class ProjectAdminV1_1Tests(ProjectMemberV1_1Tests):
+
+ @classmethod
+ def setup_clients(cls):
+ super().setup_clients()
+ cls.secret_consumer_client = cls.admin_secret_consumer_client
+
+ def test_create_secret_consumer(self):
+ pass
+
+ def test_delete_secret_consumer(self):
+ pass
+
+ def test_list_secret_consumers(self):
+ pass
+
+
class SystemReaderTests(rbac_base.BarbicanV1RbacBase, BarbicanV1RbacSecrets):
@classmethod
diff --git a/barbican_tempest_plugin/tests/scenario/barbican_manager.py b/barbican_tempest_plugin/tests/scenario/barbican_manager.py
index 6ebf6fd..b6f24a9 100644
--- a/barbican_tempest_plugin/tests/scenario/barbican_manager.py
+++ b/barbican_tempest_plugin/tests/scenario/barbican_manager.py
@@ -106,9 +106,11 @@
)
cls.order_client = os.secret_v1.OrderClient(service='key-manager')
cls.secret_client = os.secret_v1.SecretClient(service='key-manager')
+ cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient()
cls.secret_metadata_client = os.secret_v1.SecretMetadataClient(
service='key-manager'
)
+ cls.secret_consumer_client = os.secret_v1_1.VersionClient()
if CONF.compute_feature_enabled.attach_encrypted_volume:
cls.admin_encryption_types_client =\
diff --git a/barbican_tempest_plugin/tests/scenario/manager.py b/barbican_tempest_plugin/tests/scenario/manager.py
index 04418f0..b7f8914 100644
--- a/barbican_tempest_plugin/tests/scenario/manager.py
+++ b/barbican_tempest_plugin/tests/scenario/manager.py
@@ -19,9 +19,7 @@
from tempest.common import image as common_image
from tempest.common import waiters
from tempest import config
-from tempest import exceptions
from tempest.lib.common.utils import data_utils
-from tempest.lib.common.utils import test_utils
from tempest.lib import exceptions as lib_exc
from tempest.scenario import manager
@@ -34,48 +32,6 @@
# check_*_connectivity methods to validate instances are up and accessible
class ScenarioTest(manager.NetworkScenarioTest):
"""Base class for scenario tests. Uses tempest own clients. """
-
- credentials = ['primary']
-
- @classmethod
- def setup_clients(cls):
- super(ScenarioTest, cls).setup_clients()
- # Clients (in alphabetical order)
- cls.flavors_client = cls.os_primary.flavors_client
- cls.compute_floating_ips_client = (
- cls.os_primary.compute_floating_ips_client)
- if CONF.service_available.glance:
- # Check if glance v1 is available to determine which client to use.
- if CONF.image_feature_enabled.api_v1:
- cls.image_client = cls.os_primary.image_client
- elif CONF.image_feature_enabled.api_v2:
- cls.image_client = cls.os_primary.image_client_v2
- else:
- raise lib_exc.InvalidConfiguration(
- 'Either api_v1 or api_v2 must be True in '
- '[image-feature-enabled].')
- # Compute image client
- cls.compute_images_client = cls.os_primary.compute_images_client
- cls.keypairs_client = cls.os_primary.keypairs_client
- # Nova security groups client
- cls.compute_security_groups_client = (
- cls.os_primary.compute_security_groups_client)
- cls.compute_security_group_rules_client = (
- cls.os_primary.compute_security_group_rules_client)
- cls.servers_client = cls.os_primary.servers_client
- # Neutron network client
- cls.networks_client = cls.os_primary.networks_client
- cls.ports_client = cls.os_primary.ports_client
- cls.routers_client = cls.os_primary.routers_client
- cls.subnets_client = cls.os_primary.subnets_client
- cls.floating_ips_client = cls.os_primary.floating_ips_client
- cls.security_groups_client = cls.os_primary.security_groups_client
- cls.security_group_rules_client = (
- cls.os_primary.security_group_rules_client)
-
- cls.volumes_client = cls.os_primary.volumes_client_latest
- cls.snapshots_client = cls.os_primary.snapshots_client_latest
-
# ## Test functions library
#
# The create_[resource] functions only return body and discard the
@@ -130,183 +86,3 @@
str(failed_stores))
return image['id']
-
- def create_floating_ip(self, thing, pool_name=None):
- """Create a floating IP and associates to a server on Nova"""
-
- if not pool_name:
- pool_name = CONF.network.floating_network_name
- floating_ip = (self.compute_floating_ips_client.
- create_floating_ip(pool=pool_name)['floating_ip'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.compute_floating_ips_client.delete_floating_ip,
- floating_ip['id'])
- self.compute_floating_ips_client.associate_floating_ip_to_server(
- floating_ip['ip'], thing['id'])
- return floating_ip
-
- def nova_volume_attach(self, server, volume_to_attach):
- volume = self.servers_client.attach_volume(
- server['id'], volumeId=volume_to_attach['id'], device='/dev/%s'
- % CONF.compute.volume_device_name)['volumeAttachment']
- self.assertEqual(volume_to_attach['id'], volume['id'])
- waiters.wait_for_volume_resource_status(self.volumes_client,
- volume['id'], 'in-use')
-
- self.addCleanup(self.nova_volume_detach, server, volume)
- # Return the updated volume after the attachment
- return self.volumes_client.show_volume(volume['id'])['volume']
-
- def nova_volume_detach(self, server, volume):
- self.servers_client.detach_volume(server['id'], volume['id'])
- waiters.wait_for_volume_resource_status(self.volumes_client,
- volume['id'], 'available')
-
- volume = self.volumes_client.show_volume(volume['id'])['volume']
- self.assertEqual('available', volume['status'])
-
- def get_server_ip(self, server):
- """Get the server fixed or floating IP.
-
- Based on the configuration we're in, return a correct ip
- address for validating that a guest is up.
- """
- if CONF.validation.connect_method == 'floating':
- # The tests calling this method don't have a floating IP
- # and can't make use of the validation resources. So the
- # method is creating the floating IP there.
- return self.create_floating_ip(server)['ip']
- elif CONF.validation.connect_method == 'fixed':
- # Determine the network name to look for based on config or creds
- # provider network resources.
- if CONF.validation.network_for_ssh:
- addresses = server['addresses'][
- CONF.validation.network_for_ssh]
- else:
- creds_provider = self._get_credentials_provider()
- net_creds = creds_provider.get_primary_creds()
- network = getattr(net_creds, 'network', None)
- addresses = (server['addresses'][network['name']]
- if network else [])
- for address in addresses:
- ip_version_for_ssh = CONF.validation.ip_version_for_ssh
- if (address['version'] == ip_version_for_ssh and
- address['OS-EXT-IPS:type'] == 'fixed'):
- return address['addr']
- raise exceptions.ServerUnreachable(server_id=server['id'])
- else:
- raise lib_exc.InvalidConfiguration()
-
- def _default_security_group(self, client=None, tenant_id=None):
- """Get default secgroup for given tenant_id.
-
- :returns: default secgroup for given tenant
- """
- if client is None:
- client = self.security_groups_client
- if not tenant_id:
- tenant_id = client.tenant_id
- sgs = [
- sg for sg in list(client.list_security_groups().values())[0]
- if sg['tenant_id'] == tenant_id and sg['name'] == 'default'
- ]
- msg = "No default security group for tenant %s." % (tenant_id)
- self.assertGreater(len(sgs), 0, msg)
- return sgs[0]
-
- def _create_security_group(self):
- # Create security group
- sg_name = data_utils.rand_name(self.__class__.__name__)
- sg_desc = sg_name + " description"
- secgroup = self.compute_security_groups_client.create_security_group(
- name=sg_name, description=sg_desc)['security_group']
- self.assertEqual(secgroup['name'], sg_name)
- self.assertEqual(secgroup['description'], sg_desc)
- self.addCleanup(
- test_utils.call_and_ignore_notfound_exc,
- self.compute_security_groups_client.delete_security_group,
- secgroup['id'])
-
- # Add rules to the security group
- self._create_loginable_secgroup_rule(secgroup['id'])
-
- return secgroup
-
- def _create_loginable_secgroup_rule(self, secgroup_id=None):
- _client = self.compute_security_groups_client
- _client_rules = self.compute_security_group_rules_client
- if secgroup_id is None:
- sgs = _client.list_security_groups()['security_groups']
- for sg in sgs:
- if sg['name'] == 'default':
- secgroup_id = sg['id']
-
- # These rules are intended to permit inbound ssh and icmp
- # traffic from all sources, so no group_id is provided.
- # Setting a group_id would only permit traffic from ports
- # belonging to the same security group.
- rulesets = [
- {
- # ssh
- 'ip_protocol': 'tcp',
- 'from_port': 22,
- 'to_port': 22,
- 'cidr': '0.0.0.0/0',
- },
- {
- # ping
- 'ip_protocol': 'icmp',
- 'from_port': -1,
- 'to_port': -1,
- 'cidr': '0.0.0.0/0',
- }
- ]
- rules = list()
- for ruleset in rulesets:
- sg_rule = _client_rules.create_security_group_rule(
- parent_group_id=secgroup_id, **ruleset)['security_group_rule']
- rules.append(sg_rule)
- return rules
-
- def _create_security_group_rule(self, secgroup=None,
- sec_group_rules_client=None,
- tenant_id=None,
- security_groups_client=None, **kwargs):
- """Create a rule from a dictionary of rule parameters.
-
- Create a rule in a secgroup. if secgroup not defined will search for
- default secgroup in tenant_id.
-
- :param secgroup: the security group.
- :param tenant_id: if secgroup not passed -- the tenant in which to
- search for default secgroup
- :param kwargs: a dictionary containing rule parameters:
- for example, to allow incoming ssh:
- rule = {
- direction: 'ingress'
- protocol:'tcp',
- port_range_min: 22,
- port_range_max: 22
- }
- """
- if sec_group_rules_client is None:
- sec_group_rules_client = self.security_group_rules_client
- if security_groups_client is None:
- security_groups_client = self.security_groups_client
- if not tenant_id:
- tenant_id = security_groups_client.tenant_id
- if secgroup is None:
- secgroup = self._default_security_group(
- client=security_groups_client, tenant_id=tenant_id)
-
- ruleset = dict(security_group_id=secgroup['id'],
- tenant_id=secgroup['tenant_id'])
- ruleset.update(kwargs)
-
- sg_rule = sec_group_rules_client.create_security_group_rule(**ruleset)
- sg_rule = sg_rule['security_group_rule']
-
- self.assertEqual(secgroup['tenant_id'], sg_rule['tenant_id'])
- self.assertEqual(secgroup['id'], sg_rule['security_group_id'])
-
- return sg_rule
diff --git a/barbican_tempest_plugin/tests/scenario/test_ephemeral_disk_encryption.py b/barbican_tempest_plugin/tests/scenario/test_ephemeral_disk_encryption.py
index 0b81649..71e6a0a 100644
--- a/barbican_tempest_plugin/tests/scenario/test_ephemeral_disk_encryption.py
+++ b/barbican_tempest_plugin/tests/scenario/test_ephemeral_disk_encryption.py
@@ -63,7 +63,7 @@
client_test_path = '/tmp/ephemeral_disk_encryption_test'
img_uuid = self.sign_and_upload_image()
keypair = self.create_keypair()
- security_group = self._create_security_group()
+ security_group = self.create_security_group()
instance = self.create_server(
name='signed_img_server',
image_id=img_uuid,
diff --git a/barbican_tempest_plugin/tests/scenario/test_volume_encryption.py b/barbican_tempest_plugin/tests/scenario/test_volume_encryption.py
index 9d27866..7613fa7 100644
--- a/barbican_tempest_plugin/tests/scenario/test_volume_encryption.py
+++ b/barbican_tempest_plugin/tests/scenario/test_volume_encryption.py
@@ -15,6 +15,7 @@
import testtools
from oslo_log import log as logging
+
from tempest.common import utils
from tempest import config
from tempest.lib.common import api_version_utils
@@ -97,7 +98,7 @@
img_uuid = self.sign_and_upload_image()
LOG.info("Creating keypair and security group")
keypair = self.create_keypair()
- security_group = self._create_security_group()
+ security_group = self.create_security_group()
server = self.create_server(
name='signed_img_server',
image_id=img_uuid,
@@ -118,11 +119,13 @@
'PLAIN encryptor provider is not supported on rbd')
@decorators.idempotent_id('cbc752ed-b716-4727-910f-956ccf965723')
@utils.services('compute', 'volume', 'image')
+ @testtools.skipIf(CONF.volume.storage_protocol == 'ceph',
+ 'Skip because ceph does not support Provider plain')
def test_encrypted_cinder_volumes_cryptsetup(self):
img_uuid = self.sign_and_upload_image()
LOG.info("Creating keypair and security group")
keypair = self.create_keypair()
- security_group = self._create_security_group()
+ security_group = self.create_security_group()
server = self.create_server(
name='signed_img_server',
image_id=img_uuid,