Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / barbican-tempest-plugin / 832692c4fb76dc6d0da903d1d7dd515bb7f669e0^! / .
commit832692c4fb76dc6d0da903d1d7dd515bb7f669e0[log] [tgz]
authorLukas Piwowarski <lpiwowar@redhat.com>Thu Jun 01 09:12:48 2023 +0000
committerLukas Piwowarski <lpiwowar@redhat.com>Thu Jun 01 10:32:29 2023 +0000
treec4b7a4d2180ab9fd1b7c73c1829e666357c877e9
parentb5519a7015b0f28e796d82555c5d82c684896c68 [diff]
Modify test_get_effective_quota test

The test_get_effective_quotas test uses key-manager:service-admin
legacy role to get the effective quotas. Using a user with only this
role should lead to an ERROR in an SRBAC environment.

This patch changes the test so that it checks whether the ERROR
occurred when the test tried to get quotas in SRBAC environment.

Also, auth.tempest_roles = member was removed from tempest.conf
as it is not necessary and causes a failure of the modified
test and it might cause unwanted problems in the future.

Change-Id: Ib106f5e760d3a5253968e2fe13ec576107a98c74

diff --git a/.zuul.yaml b/.zuul.yaml
index d60cc74..84f163d 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml

@@ -130,8 +130,6 @@
               enforce_scope: True
         test-config:
           $TEMPEST_CONFIG:
-            auth:
-              tempest_roles: member
             barbican_rbac_scope_verification:
               enforce_scope: True
 

diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py
index 2546249..7840406 100644
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py

@@ -16,6 +16,7 @@
 
 from tempest import config
 from tempest.lib import decorators
+from tempest.lib import exceptions
 
 CONF = config.CONF
 
@@ -25,14 +26,22 @@
 
     @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
     def test_get_effective_quota(self):
-        # Verify the default quota settings
-        body = self.quota_client.get_default_project_quota()
-        quotas = body.get('quotas')
-        self.assertEqual(-1, quotas.get('secrets'))
-        self.assertEqual(-1, quotas.get('cas'))
-        self.assertEqual(-1, quotas.get('orders'))
-        self.assertEqual(-1, quotas.get('containers'))
-        self.assertEqual(-1, quotas.get('consumers'))
+        if CONF.barbican_rbac_scope_verification.enforce_scope:
+            # This test is using key-manager:service-admin legacy
+            # role. User with only this role should get a Forbidden
+            # error when trying to get effective quotas in SRBAC
+            # environment.
+            self.assertRaises(
+                exceptions.Forbidden,
+                self.quota_client.get_default_project_quota)
+        else:
+            body = self.quota_client.get_default_project_quota()
+            quotas = body.get('quotas')
+            self.assertEqual(-1, quotas.get('secrets'))
+            self.assertEqual(-1, quotas.get('cas'))
+            self.assertEqual(-1, quotas.get('orders'))
+            self.assertEqual(-1, quotas.get('containers'))
+            self.assertEqual(-1, quotas.get('consumers'))
 
 
 class ProjectQuotasTest(base.BaseKeyManagerTest):