Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / barbican-tempest-plugin / 45dd1313926858b487b840701ed5e449d44e37b7^! / .
commit45dd1313926858b487b840701ed5e449d44e37b7[log] [tgz]
authorAde Lee <alee@redhat.com>Tue May 10 15:00:41 2022 -0400
committerDouglas Mendizábal <dmendiza@redhat.com>Wed Aug 10 20:50:02 2022 +0000
tree30179374364fd9e4542898dd5834199a1dabc970
parent519aa80cabe83cd8c2193d483f5dff5213a66719 [diff]
Add RBAC tests for secret consumers

Change-Id: I5eac8d6d82d0fee6105e3ba235e7aa13d4d519cc

diff --git a/barbican_tempest_plugin/tests/rbac/v1/base.py b/barbican_tempest_plugin/tests/rbac/v1/base.py
index 98371fa..0e7a774 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/base.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/base.py

@@ -22,9 +22,11 @@
 from tempest import clients
 from tempest import config
 from tempest.lib import auth
+from tempest.lib.common import api_version_utils
 from tempest.lib.common.utils import data_utils
 from tempest import test
 
+
 CONF = config.CONF
 
 RESOURCE_TYPES = ['container', 'order', 'quota', 'secret']
@@ -40,7 +42,8 @@
     return base64.b64encode(kdf.derive(password))
 
 
-class BarbicanV1RbacBase(test.BaseTestCase):
+class BarbicanV1RbacBase(test.BaseTestCase,
+                         api_version_utils.BaseMicroversionTest):
 
     identity_version = 'v3'
     _created_projects = None
@@ -63,6 +66,11 @@
         if not CONF.barbican_rbac_scope_verification.enforce_scope:
             raise cls.skipException("enforce_scope is not enabled for "
                                     "barbican, skipping RBAC tests")
+        api_version_utils.check_skip_with_microversion(
+            cls.min_microversion,
+            cls.max_microversion,
+            CONF.key_manager.min_microversion,
+            CONF.key_manager.max_microversion)
 
     @classmethod
     def setup_credentials(cls):
@@ -131,6 +139,8 @@
         cls.admin_secret_client = adm.secret_v1.SecretClient()
         cls.admin_secret_metadata_client = adm.secret_v1.SecretMetadataClient()
         cls.admin_consumer_client = adm.secret_v1.ConsumerClient()
+        cls.admin_secret_consumer_client = \
+            adm.secret_v1_1.SecretConsumerClient()
         cls.admin_container_client = adm.secret_v1.ContainerClient()
         cls.admin_order_client = adm.secret_v1.OrderClient(
             secret_client=cls.admin_secret_client,
@@ -143,6 +153,8 @@
         cls.secret_client = member.secret_v1.SecretClient()
         cls.secret_metadata_client = member.secret_v1.SecretMetadataClient()
         cls.member_consumer_client = member.secret_v1.ConsumerClient()
+        cls.member_secret_consumer_client = \
+            member.secret_v1_1.SecretConsumerClient()
         cls.container_client = member.secret_v1.ContainerClient()
         cls.order_client = member.secret_v1.OrderClient(
             secret_client=cls.secret_client,

diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py b/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py
index e32a397..e8a3607 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py

@@ -21,6 +21,7 @@
 
 from barbican_tempest_plugin.tests.rbac.v1 import base as rbac_base
 
+
 CONF = config.CONF
 
 
@@ -209,7 +210,40 @@
         raise NotImplementedError
 
 
-class ProjectReaderTests(rbac_base.BarbicanV1RbacBase, BarbicanV1RbacSecrets):
+class BarbicanV1_1SecretConsumers:
+
+    @abc.abstractmethod
+    def test_list_secret_consumers(self):
+        """Test list_secret_consumers policy
+
+        Testing: GET /v1/secrets/{secret-id}/consumers
+        This test must check:
+          * whether the persona can list a secrets consumers
+        """
+        raise NotImplementedError
+
+    @abc.abstractmethod
+    def test_create_secret_consumer(self):
+        """Test create_secret_consumer policy
+
+        Testing: POST /v1/secrets/{secret-id}/consumers
+        This test must check:
+          * whether the persona can create a consumer of the secret
+        """
+        raise NotImplementedError
+
+    @abc.abstractmethod
+    def test_delete_secret_consumer(self):
+        """Test delete_secret_consumer policy
+
+        Testing: DELETE /v1/secrets/{secret-id}/consumers
+        This test must check:
+          * whether the persona can delete a consumer of the secret
+        """
+        raise NotImplementedError
+
+
+class ProjectReaderBase(rbac_base.BarbicanV1RbacBase):
 
     @classmethod
     def setup_clients(cls):
@@ -233,6 +267,9 @@
             }
         }
 
+
+class ProjectReaderTests(ProjectReaderBase, BarbicanV1RbacSecrets):
+
     def test_create_secret(self):
         """Test add_secret policy."""
         self.assertRaises(exceptions.Forbidden, self.client.create_secret)
@@ -406,6 +443,49 @@
             self.other_secret_id)
 
 
+class ProjectReaderV1_1Tests(ProjectReaderBase, BarbicanV1_1SecretConsumers):
+
+    min_microversion = '1.1'
+
+    @classmethod
+    def setup_clients(cls):
+        super().setup_clients()
+        cls.secret_consumer_client = \
+            cls.os_project_reader.secret_v1_1.SecretConsumerClient()
+
+    def setUp(self):
+        super().setUp()
+        self.test_consumer = {
+            "service": "service1",
+            "resource_id": "resource_id1",
+            "resource_type": "resource_type1"
+        }
+        self.member_secret_consumer_client.add_consumer_to_secret(
+            self.secret_id,
+            **self.test_consumer
+        )
+
+    def test_list_secret_consumers(self):
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.secret_consumer_client.list_consumers_in_secret,
+            self.secret_id)
+
+    def test_create_secret_consumer(self):
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.secret_consumer_client.add_consumer_to_secret,
+            self.secret_id,
+            **self.test_consumer)
+
+    def test_delete_secret_consumer(self):
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.secret_consumer_client.delete_consumer_from_secret,
+            self.secret_id,
+            **self.test_consumer)
+
+
 class ProjectMemberTests(ProjectReaderTests):
 
     @classmethod
@@ -518,6 +598,40 @@
         self.assertNotIn('users', acl['read'].keys())
 
 
+class ProjectMemberV1_1Tests(ProjectReaderV1_1Tests):
+
+    @classmethod
+    def setup_clients(cls):
+        super().setup_clients()
+        cls.secret_consumer_client = cls.member_secret_consumer_client
+
+    def test_list_secret_consumers(self):
+        resp = self.secret_consumer_client.list_consumers_in_secret(
+            self.secret_id
+        )
+        self.assertEqual(1, resp['total'])
+
+    def test_create_secret_consumer(self):
+        second_consumer = {
+            'service': 'service2',
+            'resource_id': 'resource_id2',
+            'resource_type': 'resource_type2'
+        }
+
+        resp = self.secret_consumer_client.add_consumer_to_secret(
+            self.secret_id,
+            **second_consumer)
+
+        self.assertEqual(2, len(resp['consumers']))
+
+    def test_delete_secret_consumer(self):
+        resp = self.secret_consumer_client.delete_consumer_from_secret(
+            self.secret_id,
+            **self.test_consumer)
+
+        self.assertEqual(0, len(resp['consumers']))
+
+
 class ProjectAdminTests(ProjectMemberTests):
     @classmethod
     def setup_clients(cls):
@@ -525,6 +639,23 @@
         cls.client = cls.admin_secret_client
 
 
+class ProjectAdminV1_1Tests(ProjectMemberV1_1Tests):
+
+    @classmethod
+    def setup_clients(cls):
+        super().setup_clients()
+        cls.secret_consumer_client = cls.admin_secret_consumer_client
+
+    def test_create_secret_consumer(self):
+        pass
+
+    def test_delete_secret_consumer(self):
+        pass
+
+    def test_list_secret_consumers(self):
+        pass
+
+
 class SystemReaderTests(rbac_base.BarbicanV1RbacBase, BarbicanV1RbacSecrets):
 
     @classmethod