Merge "Migrate back to Launchpad"

commit: b5519a7015b0f28e796d82555c5d82c684896c68 [log] [tgz]
author: Zuul <zuul@review.opendev.org> Fri May 19 17:18:50 2023 +0000
committer: Gerrit Code Review <review@openstack.org> Fri May 19 17:18:50 2023 +0000
tree: 99b371d662f655ee4b70850cc32cef26d6fbffce
parent: 3868bbf3c9e38cee487d2a9cb3f72648edebe26b [diff]
parent: 42300cd1e56459fcbab6d98f74c9d5dd0442fe5c [diff]
diff --git a/barbican_tempest_plugin/config.py b/barbican_tempest_plugin/config.py
index da78d15..c358aee 100644
--- a/barbican_tempest_plugin/config.py
+++ b/barbican_tempest_plugin/config.py

@@ -43,7 +43,12 @@
                     "min_microversion and max_microversion. "
                     "If both values are not specified, Tempest avoids tests "
                     "which require a microversion. Valid values are string "
-                    "with format 'X.Y' or string 'latest'")
+                    "with format 'X.Y' or string 'latest'"),
+    cfg.StrOpt('region',
+               default='regionOne',
+               help="The barbican region name to use. If no such region is"
+                    "found in the service catalog, the first found one is "
+                    "used.")
 ]
 
 barbican_tempest_group = cfg.OptGroup(
@@ -90,6 +95,10 @@
                 default=True,
                 help="Does the test environment enforce glance image "
                      "verification?"),
+    cfg.BoolOpt('certificate_validation',
+                default=True,
+                help="Does the test environment enforce image signature"
+                     "certificate validation?")
 ]
 
 barbican_rbac_scope_verification_group = cfg.OptGroup(

diff --git a/barbican_tempest_plugin/services/key_manager/json/base.py b/barbican_tempest_plugin/services/key_manager/json/base.py
index dedc0fd..d4a2a8a 100644
--- a/barbican_tempest_plugin/services/key_manager/json/base.py
+++ b/barbican_tempest_plugin/services/key_manager/json/base.py

@@ -9,10 +9,13 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+from tempest import config
 from tempest.lib.common import rest_client
 
+CONF = config.CONF
 
 _DEFAULT_SERVICE_TYPE = 'key-manager'
+_DEFAULT_REGION = CONF.key_manager.region
 _MICROVERSION_HEADER = 'OpenStack-API-Version'
 
 
@@ -22,6 +25,7 @@
 
     def __init__(self, *args, **kwargs):
         kwargs['service'] = _DEFAULT_SERVICE_TYPE
+        kwargs['region'] = _DEFAULT_REGION
         super().__init__(*args, **kwargs)
 
     def get_headers(self, accept_type=None, send_type=None):

diff --git a/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py b/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py
index cb5fd5e..6d3094c 100644
--- a/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py
+++ b/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py

@@ -49,12 +49,10 @@
 
     def set_preferred_secret_store(self, secret_store_id):
         uri = '/v1/secret-stores/{}/preferred'.format(secret_store_id)
-        resp, body = self.post(uri)
-        self.expected_success(200, resp.status)
-        return json.loads(body.decode('UTF-8'))
+        resp, body = self.post(uri, None)
+        self.expected_success(204, resp.status)
 
     def unset_preferred_secret_store(self, secret_store_id):
         uri = '/v1/secret-stores/{}/preferred'.format(secret_store_id)
         resp, body = self.delete(uri)
-        self.expected_success(200, resp.status)
-        return json.loads(body.decode('UTF-8'))
+        self.expected_success(204, resp.status)

diff --git a/barbican_tempest_plugin/tests/api/base.py b/barbican_tempest_plugin/tests/api/base.py
index c098978..aa500f7 100644
--- a/barbican_tempest_plugin/tests/api/base.py
+++ b/barbican_tempest_plugin/tests/api/base.py

@@ -81,22 +81,16 @@
     def setup_clients(cls):
         super(BaseKeyManagerTest, cls).setup_clients()
         os = getattr(cls, 'os_%s' % cls.credentials[0])
-        cls.consumer_client = os.secret_v1.ConsumerClient(
-            service='key-manager'
-        )
-        cls.container_client = os.secret_v1.ContainerClient(
-            service='key-manager'
-        )
-        cls.order_client = os.secret_v1.OrderClient(service='key-manager')
-        cls.secret_client = os.secret_v1.SecretClient(service='key-manager')
+        cls.consumer_client = os.secret_v1.ConsumerClient()
+        cls.container_client = os.secret_v1.ContainerClient()
+        cls.order_client = os.secret_v1.OrderClient()
+        cls.secret_client = os.secret_v1.SecretClient()
         cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient()
-        cls.secret_metadata_client = os.secret_v1.SecretMetadataClient(
-            service='key-manager'
-        )
+        cls.secret_metadata_client = os.secret_v1.SecretMetadataClient()
         cls.version_client = os.secret_v1_1.VersionClient()
 
         os = getattr(cls, 'os_roles_%s' % cls.credentials[1][0])
-        cls.quota_client = os.secret_v1.QuotaClient(service='key-manager')
+        cls.quota_client = os.secret_v1.QuotaClient()
 
     @classmethod
     def setup_credentials(cls):

diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py b/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py
index 6f0a00d..2e637d8 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py

@@ -97,6 +97,7 @@
         We need to set up the devstack plugin to use multiple backends
         so we can run these tests.
         """
+        super().skip_checks()
         if not CONF.barbican_tempest.enable_multiple_secret_stores:
             raise cls.skipException("enable_multiple_secret_stores is not "
                                     "configured.  Skipping RBAC tests.")
@@ -125,6 +126,18 @@
         self.assertTrue(resp['global_default'])
 
     def test_get_preferred_secret_store(self):
+        # First use project admin to set preferred secret store
+        resp = self.do_request('list_secret_stores')
+        secret_store_id = self.ref_to_uuid(
+            resp['secret_stores'][0]['secret_store_ref']
+        )
+        admin_client = self.os_project_admin.secret_v1.SecretStoresClient()
+        self.do_request('set_preferred_secret_store',
+                        client=admin_client,
+                        secret_store_id=secret_store_id)
+
+        # Check that other users in project can view the newly set
+        # preferred secret store
         resp = self.do_request('get_preferred_secret_store')
         self.assertEqual('ACTIVE', resp['status'])
 
@@ -142,7 +155,7 @@
         secret_store_id = self.ref_to_uuid(
             resp['secret_stores'][0]['secret_store_ref']
         )
-        self.do_request('unset_peferred_secret_store',
+        self.do_request('unset_preferred_secret_store',
                         expected_status=exceptions.Forbidden,
                         secret_store_id=secret_store_id)
 
@@ -172,11 +185,10 @@
         )
         self.do_request('set_preferred_secret_store',
                         secret_store_id=secret_store_id)
-        self.do_request('unset_peferred_secret_store',
+        self.do_request('unset_preferred_secret_store',
                         secret_store_id=secret_store_id)
-        resp = self.do_request('get_preferred_secret_store')
-        self.assertEqual(secret_store_id,
-                         self.ref_to_uuid(resp['secret_store_ref']))
+        self.do_request('get_preferred_secret_store',
+                        expected_status=exceptions.NotFound)
 
 
 class ProjectReaderTests(ProjectMemberTests):

diff --git a/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py b/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
index e64952c..2f22329 100644
--- a/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
+++ b/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py

@@ -11,6 +11,7 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+import testtools
 
 from oslo_log import log as logging
 from tempest.common import utils
@@ -79,6 +80,9 @@
 
     @decorators.idempotent_id('6d354881-35a6-4568-94b8-2204bbf67b29')
     @utils.services('compute', 'image')
+    @testtools.skipUnless(
+        CONF.image_signature_verification.certificate_validation,
+        "Image signature certificate validation is not enforced")
     def test_signed_image_invalid_cert_boot_failure(self):
         """Test that Nova refuses to boot an unvalidated signed image.
commit	b5519a7015b0f28e796d82555c5d82c684896c68	[log] [tgz]
author	Zuul <zuul@review.opendev.org>	Fri May 19 17:18:50 2023 +0000
committer	Gerrit Code Review <review@openstack.org>	Fri May 19 17:18:50 2023 +0000
tree	99b371d662f655ee4b70850cc32cef26d6fbffce
parent	3868bbf3c9e38cee487d2a9cb3f72648edebe26b [diff]
parent	42300cd1e56459fcbab6d98f74c9d5dd0442fe5c [diff]