Merge "Update python testing as per zed cycle teting runtime"
diff --git a/.zuul.yaml b/.zuul.yaml
index d60cc74..023452c 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -7,10 +7,9 @@
jobs:
- barbican-tempest-plugin-simple-crypto
- barbican-tempest-plugin-simple-crypto-secure-rbac
+ - barbican-tempest-plugin-simple-crypto-2023-2
+ - barbican-tempest-plugin-simple-crypto-2023-1
- barbican-tempest-plugin-simple-crypto-zed
- - barbican-tempest-plugin-simple-crypto-yoga
- - barbican-tempest-plugin-simple-crypto-xena
- - barbican-tempest-plugin-simple-crypto-wallaby
- barbican-tempest-plugin-simple-crypto-ipv6-only
- barbican-tempest-plugin-simple-crypto-castellan-src
- barbican-tempest-plugin-simple-crypto-cursive
@@ -22,9 +21,9 @@
name: barbican-tempest-plugin-simple-crypto
parent: devstack-tempest
required-projects: &barbican-tempest-reqs
- - opendev.org/openstack/barbican
- - opendev.org/openstack/barbican-tempest-plugin
- - opendev.org/openstack/python-barbicanclient
+ - openstack/barbican
+ - openstack/barbican-tempest-plugin
+ - openstack/python-barbicanclient
vars: &barbican-tempest-vars
devstack_plugins:
barbican: https://opendev.org/openstack/barbican
@@ -43,7 +42,7 @@
test-config:
$TEMPEST_CONFIG:
auth:
- tempest_roles: creator
+ create_isolated_networks: False
image-feature-enabled:
# this may be removed soon, as api_v1 is false since tempest>=20
api_v1: False
@@ -58,6 +57,32 @@
- barbican-tempest-plugin
- job:
+ name: barbican-tempest-plugin-simple-crypto-2023-2
+ parent: barbican-tempest-plugin-simple-crypto
+ nodeset: openstack-single-node-jammy
+ override-checkout: stable/2023.2
+ vars:
+ devstack_local_conf:
+ test-config:
+ $TEMPEST_CONFIG:
+ key_manager:
+ min_microversion: '1.0'
+ max_microversion: '1.1'
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-2023-1
+ parent: barbican-tempest-plugin-simple-crypto
+ nodeset: openstack-single-node-jammy
+ override-checkout: stable/2023.1
+ vars:
+ devstack_local_conf:
+ test-config:
+ $TEMPEST_CONFIG:
+ key_manager:
+ min_microversion: '1.0'
+ max_microversion: '1.1'
+
+- job:
name: barbican-tempest-plugin-simple-crypto-zed
parent: barbican-tempest-plugin-simple-crypto
nodeset: openstack-single-node-focal
@@ -95,6 +120,9 @@
parent: barbican-tempest-plugin-simple-crypto
nodeset: openstack-single-node-focal
override-checkout: stable/wallaby
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: wallaby-last
vars: *microversion_v1_0
- job:
@@ -102,6 +130,9 @@
parent: barbican-tempest-plugin-simple-crypto
nodeset: openstack-single-node-focal
override-checkout: stable/victoria
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: victoria-last
vars: *microversion_v1_0
- job:
@@ -109,6 +140,9 @@
parent: barbican-tempest-plugin-simple-crypto
nodeset: openstack-single-node-bionic
override-checkout: stable/ussuri
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: ussuri-last
vars: *microversion_v1_0
- job:
@@ -116,30 +150,64 @@
parent: barbican-tempest-plugin-simple-crypto
nodeset: openstack-single-node-bionic
override-checkout: stable/train
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: train-last
vars: *microversion_v1_0
- job:
name: barbican-tempest-plugin-simple-crypto-secure-rbac
parent: barbican-tempest-plugin-simple-crypto
vars:
+ devstack_localrc:
+ ENFORCE_SCOPE: True
devstack_local_conf:
- post-config:
- $BARBICAN_CONF:
- oslo_policy:
- enforce_new_defaults: True
- enforce_scope: True
+ # (lpiwowar): Uncomment once this bug is resolved:
+ # https://bugs.launchpad.net/barbican/+bug/2043457
+ # post-config:
+ # $BARBICAN_CONF:
+ # secretstore:
+ # enable_multiple_secret_stores: True
+ # stores_lookup_suffix: simple_crypto
+ # secretstore:simple_crypto:
+ # secret_store_plugin: store_crypto
+ # crypto_plugin: simple_crypto
+ # global_default: true
test-config:
$TEMPEST_CONFIG:
- auth:
- tempest_roles: member
- barbican_rbac_scope_verification:
- enforce_scope: True
+ enforce_scope:
+ barbican: True
+ # barbican_tempest:
+ # enable_multiple_secret_stores: True
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-secure-rbac-2023-1
+ parent: barbican-tempest-plugin-simple-crypto-secure-rbac
+ nodeset: openstack-single-node-jammy
+ override-checkout: stable/2023.1
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: a31f9ef3a68e58fe970783d1b7b4cff45e4ee78b
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-secure-rbac-zed
+ parent: barbican-tempest-plugin-simple-crypto-secure-rbac
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/zed
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: a31f9ef3a68e58fe970783d1b7b4cff45e4ee78b
+ vars: *microversion_v1_0
- job:
name: barbican-tempest-plugin-simple-crypto-secure-rbac-yoga
parent: barbican-tempest-plugin-simple-crypto-secure-rbac
nodeset: openstack-single-node-focal
override-checkout: stable/yoga
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: a31f9ef3a68e58fe970783d1b7b4cff45e4ee78b
vars: *microversion_v1_0
- job:
@@ -147,6 +215,9 @@
parent: barbican-tempest-plugin-simple-crypto-secure-rbac
nodeset: openstack-single-node-focal
override-checkout: stable/xena
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: a31f9ef3a68e58fe970783d1b7b4cff45e4ee78b
vars: *microversion_v1_0
- job:
@@ -154,6 +225,9 @@
parent: barbican-tempest-plugin-simple-crypto-secure-rbac
nodeset: openstack-single-node-focal
override-checkout: stable/wallaby
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: wallaby-last
vars: *microversion_v1_0
- job:
@@ -164,10 +238,33 @@
- job:
+ name: barbican-tempest-plugin-simple-crypto-ipv6-only-2023-1
+ parent: barbican-tempest-plugin-simple-crypto-ipv6-only
+ nodeset: openstack-single-node-jammy
+ override-checkout: stable/2023.1
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: a31f9ef3a68e58fe970783d1b7b4cff45e4ee78b
+ vars: *microversion_v1_0
+
+- job:
+ name: barbican-tempest-plugin-simple-crypto-ipv6-only-zed
+ parent: barbican-tempest-plugin-simple-crypto-ipv6-only
+ nodeset: openstack-single-node-focal
+ override-checkout: stable/zed
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: a31f9ef3a68e58fe970783d1b7b4cff45e4ee78b
+ vars: *microversion_v1_0
+
+- job:
name: barbican-tempest-plugin-simple-crypto-ipv6-only-yoga
parent: barbican-tempest-plugin-simple-crypto-ipv6-only
nodeset: openstack-single-node-focal
override-checkout: stable/yoga
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: a31f9ef3a68e58fe970783d1b7b4cff45e4ee78b
vars: *microversion_v1_0
- job:
@@ -175,6 +272,9 @@
parent: barbican-tempest-plugin-simple-crypto-ipv6-only
nodeset: openstack-single-node-focal
override-checkout: stable/xena
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: a31f9ef3a68e58fe970783d1b7b4cff45e4ee78b
vars: *microversion_v1_0
- job:
@@ -182,6 +282,9 @@
parent: barbican-tempest-plugin-simple-crypto-ipv6-only
nodeset: openstack-single-node-focal
override-checkout: stable/wallaby
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: wallaby-last
vars: *microversion_v1_0
- job:
@@ -189,6 +292,9 @@
parent: barbican-tempest-plugin-simple-crypto-ipv6-only
nodeset: openstack-single-node-focal
override-checkout: stable/victoria
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: victoria-last
vars: *microversion_v1_0
- job:
@@ -196,6 +302,9 @@
parent: barbican-tempest-plugin-simple-crypto-ipv6-only
nodeset: openstack-single-node-bionic
override-checkout: stable/ussuri
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: ussuri-last
vars: *microversion_v1_0
- job:
@@ -203,13 +312,16 @@
parent: barbican-tempest-plugin-simple-crypto-ipv6-only
nodeset: openstack-single-node-bionic
override-checkout: stable/train
+ required-projects:
+ - name: openstack/barbican-tempest-plugin
+ override-checkout: train-last
vars: *microversion_v1_0
- job:
name: barbican-tempest-plugin-simple-crypto-castellan-src
parent: barbican-tempest-plugin-simple-crypto
required-projects:
- - opendev.org/openstack/castellan
+ - openstack/castellan
- job:
name: barbican-tempest-plugin-simple-crypto-cursive
diff --git a/README.rst b/README.rst
index 6ee45c6..929d44f 100644
--- a/README.rst
+++ b/README.rst
@@ -22,4 +22,4 @@
Bugs
----
-Please report bugs to: https://storyboard.openstack.org/#!/project/openstack/barbican-tempest-plugin
+Please report bugs to: http://bugs.launchpad.net/barbican
diff --git a/barbican_tempest_plugin/config.py b/barbican_tempest_plugin/config.py
index da78d15..ad32de6 100644
--- a/barbican_tempest_plugin/config.py
+++ b/barbican_tempest_plugin/config.py
@@ -43,7 +43,12 @@
"min_microversion and max_microversion. "
"If both values are not specified, Tempest avoids tests "
"which require a microversion. Valid values are string "
- "with format 'X.Y' or string 'latest'")
+ "with format 'X.Y' or string 'latest'"),
+ cfg.StrOpt('region',
+ default='regionOne',
+ help="The barbican region name to use. If no such region is"
+ "found in the service catalog, the first found one is "
+ "used.")
]
barbican_tempest_group = cfg.OptGroup(
@@ -90,15 +95,17 @@
default=True,
help="Does the test environment enforce glance image "
"verification?"),
+ cfg.BoolOpt('certificate_validation',
+ default=True,
+ help="Does the test environment enforce image signature"
+ "certificate validation?")
]
-barbican_rbac_scope_verification_group = cfg.OptGroup(
- name="barbican_rbac_scope_verification",
- title="Barbican RBAC Verification Options")
-
-BarbicanRBACScopeVerificationGroup = [
- cfg.BoolOpt('enforce_scope',
+EnforceScopeGroup = [
+ cfg.BoolOpt('barbican',
default=False,
+ deprecated_group='barbican_rbac_scope_verification',
+ deprecated_name='enforce_scope',
help="Does barbican enforce scope and user "
"scope-aware policies?"),
]
diff --git a/barbican_tempest_plugin/plugin.py b/barbican_tempest_plugin/plugin.py
index 4649e85..8f57374 100644
--- a/barbican_tempest_plugin/plugin.py
+++ b/barbican_tempest_plugin/plugin.py
@@ -13,7 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
-
import os
from tempest.test_discover import plugins
@@ -32,6 +31,8 @@
def register_opts(self, conf):
conf.register_opt(project_config.service_option,
group='service_available')
+ conf.register_opts(
+ project_config.EnforceScopeGroup, group='enforce_scope')
conf.register_group(project_config.key_manager_group)
conf.register_opts(project_config.KeyManagerOpts,
@@ -45,17 +46,24 @@
conf.register_group(project_config.ephemeral_storage_encryption_group)
conf.register_opts(project_config.EphemeralStorageEncryptionGroup,
project_config.ephemeral_storage_encryption_group)
+
+ conf.register_group(project_config.image_signature_verification_group)
conf.register_opts(project_config.ImageSignatureVerificationGroup,
project_config.image_signature_verification_group)
- conf.register_group(
- project_config.barbican_rbac_scope_verification_group)
- conf.register_opts(
- project_config.BarbicanRBACScopeVerificationGroup,
- project_config.barbican_rbac_scope_verification_group
- )
def get_opt_lists(self):
- return [('service_available', [project_config.service_option])]
+ return [
+ ('service_available', [project_config.service_option]),
+ (project_config.key_manager_group.name,
+ project_config.KeyManagerOpts),
+ (project_config.barbican_tempest_group.name,
+ project_config.BarbicanGroupOpts),
+ (project_config.ephemeral_storage_encryption_group.name,
+ project_config.EphemeralStorageEncryptionGroup),
+ (project_config.image_signature_verification_group.name,
+ project_config.ImageSignatureVerificationGroup),
+ ('enforce_scope', project_config.EnforceScopeGroup)
+ ]
def get_service_clients(self):
v1_params = {
diff --git a/barbican_tempest_plugin/services/key_manager/json/base.py b/barbican_tempest_plugin/services/key_manager/json/base.py
index dedc0fd..d4a2a8a 100644
--- a/barbican_tempest_plugin/services/key_manager/json/base.py
+++ b/barbican_tempest_plugin/services/key_manager/json/base.py
@@ -9,10 +9,13 @@
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
+from tempest import config
from tempest.lib.common import rest_client
+CONF = config.CONF
_DEFAULT_SERVICE_TYPE = 'key-manager'
+_DEFAULT_REGION = CONF.key_manager.region
_MICROVERSION_HEADER = 'OpenStack-API-Version'
@@ -22,6 +25,7 @@
def __init__(self, *args, **kwargs):
kwargs['service'] = _DEFAULT_SERVICE_TYPE
+ kwargs['region'] = _DEFAULT_REGION
super().__init__(*args, **kwargs)
def get_headers(self, accept_type=None, send_type=None):
diff --git a/barbican_tempest_plugin/services/key_manager/json/secret_client.py b/barbican_tempest_plugin/services/key_manager/json/secret_client.py
index 5eb97b5..414a5d4 100644
--- a/barbican_tempest_plugin/services/key_manager/json/secret_client.py
+++ b/barbican_tempest_plugin/services/key_manager/json/secret_client.py
@@ -15,6 +15,7 @@
import json
+import urllib.parse
from tempest import config
from tempest.lib.common.utils import data_utils
@@ -73,12 +74,21 @@
self.expected_success(200, resp.status)
return self._parse_resp(body)
- def get_secret_payload(self, secret_id):
+ def get_secret_payload(self, secret_id, **kwargs):
+ """GET /v1/secrets/{secret_id}/payload
+
+ Retrieve the payload.If kwargs are provided they are added
+ to the request as query string parameters.
+ """
content_headers = {
"Accept": "application/octet-stream"
}
- resp, body = self.get("v1/secrets/%s/payload" % secret_id,
- headers=content_headers)
+ uri = "v1/secrets/{}/payload".format(secret_id)
+ if kwargs:
+ uri += '?'
+ uri += urllib.parse.urlencode(kwargs)
+
+ resp, body = self.get(uri, headers=content_headers)
self.expected_success(200, resp.status)
return self._parse_resp(body)
diff --git a/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py b/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py
index cb5fd5e..6d3094c 100644
--- a/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py
+++ b/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py
@@ -49,12 +49,10 @@
def set_preferred_secret_store(self, secret_store_id):
uri = '/v1/secret-stores/{}/preferred'.format(secret_store_id)
- resp, body = self.post(uri)
- self.expected_success(200, resp.status)
- return json.loads(body.decode('UTF-8'))
+ resp, body = self.post(uri, None)
+ self.expected_success(204, resp.status)
def unset_preferred_secret_store(self, secret_store_id):
uri = '/v1/secret-stores/{}/preferred'.format(secret_store_id)
resp, body = self.delete(uri)
- self.expected_success(200, resp.status)
- return json.loads(body.decode('UTF-8'))
+ self.expected_success(204, resp.status)
diff --git a/barbican_tempest_plugin/tests/api/base.py b/barbican_tempest_plugin/tests/api/base.py
index 566f363..50ae662 100644
--- a/barbican_tempest_plugin/tests/api/base.py
+++ b/barbican_tempest_plugin/tests/api/base.py
@@ -61,14 +61,15 @@
api_version_utils.BaseMicroversionTest):
"""Base class for all api tests."""
- # Why do I have to be an admin to create secrets? No idea...
- credentials = ('admin', ['service_admin', 'key-manager:service-admin'])
+ credentials = ['project_admin']
client_manager = clients.Clients
created_objects = {}
@classmethod
def skip_checks(cls):
super().skip_checks()
+ if not CONF.service_available.barbican:
+ raise cls.skipException('Barbican is not enabled.')
api_version_utils.check_skip_with_microversion(
cls.min_microversion,
cls.max_microversion,
@@ -79,22 +80,14 @@
def setup_clients(cls):
super(BaseKeyManagerTest, cls).setup_clients()
os = getattr(cls, 'os_%s' % cls.credentials[0])
- cls.consumer_client = os.secret_v1.ConsumerClient(
- service='key-manager'
- )
- cls.container_client = os.secret_v1.ContainerClient(
- service='key-manager'
- )
- cls.order_client = os.secret_v1.OrderClient(service='key-manager')
- cls.secret_client = os.secret_v1.SecretClient(service='key-manager')
+ cls.consumer_client = os.secret_v1.ConsumerClient()
+ cls.container_client = os.secret_v1.ContainerClient()
+ cls.order_client = os.secret_v1.OrderClient()
+ cls.secret_client = os.secret_v1.SecretClient()
cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient()
- cls.secret_metadata_client = os.secret_v1.SecretMetadataClient(
- service='key-manager'
- )
+ cls.secret_metadata_client = os.secret_v1.SecretMetadataClient()
cls.version_client = os.secret_v1_1.VersionClient()
-
- os = getattr(cls, 'os_roles_%s' % cls.credentials[1][0])
- cls.quota_client = os.secret_v1.QuotaClient(service='key-manager')
+ cls.quota_client = os.secret_v1.QuotaClient()
@classmethod
def setup_credentials(cls):
diff --git a/barbican_tempest_plugin/tests/api/test_cve_2022_3100.py b/barbican_tempest_plugin/tests/api/test_cve_2022_3100.py
new file mode 100644
index 0000000..84c35e2
--- /dev/null
+++ b/barbican_tempest_plugin/tests/api/test_cve_2022_3100.py
@@ -0,0 +1,42 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+from barbican_tempest_plugin.tests.rbac.v1 import base
+from oslo_log import log as logging
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+
+
+CONF = config.CONF
+LOG = logging.getLogger(__name__)
+
+
+class CVE20223100Test(base.BarbicanV1RbacBase):
+
+ @decorators.idempotent_id('459159ef-9670-4c59-8528-09466185c84e')
+ def test_cve_2022_3100(self):
+ # create a secret that belongs to Project B
+ secret_id = self.create_test_secret(
+ self.other_secret_client,
+ data_utils.rand_name('secret-under-test'),
+ 'DONT_CVE_ME_PLZ')
+
+ # attempt to retrieve secret payload with user from Project A
+ # using CVE exploit (e.g. by adding the query string
+ # ?target.secret.read=read to the request)
+ query = {'target.secret.read': 'read'}
+ self.assertRaises(
+ exceptions.Forbidden,
+ self.secret_client.get_secret_payload,
+ secret_id,
+ **query)
diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py
index 2546249..e9cc39a 100644
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@@ -17,6 +17,7 @@
from tempest import config
from tempest.lib import decorators
+
CONF = config.CONF
@@ -25,7 +26,6 @@
@decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
def test_get_effective_quota(self):
- # Verify the default quota settings
body = self.quota_client.get_default_project_quota()
quotas = body.get('quotas')
self.assertEqual(-1, quotas.get('secrets'))
@@ -37,16 +37,24 @@
class ProjectQuotasTest(base.BaseKeyManagerTest):
+ credentials = ['admin', ['service_admin', 'key-manager:service-admin']]
+
@classmethod
def skip_checks(cls):
super().skip_checks()
- if CONF.barbican_rbac_scope_verification.enforce_scope:
+ if CONF.enforce_scope.barbican:
# These tests can't be run with the new RBAC rules because
# the APIs they're testing require system-scoped credentials
# instead of the project-scoped credentials used here.
raise cls.skipException("enforce_scope is enabled for barbican, "
"skipping project quota tests.")
+ @classmethod
+ def setup_clients(cls):
+ super().setup_clients()
+ cls.quota_client = cls.os_roles_service_admin.secret_v1.QuotaClient()
+
+ @decorators.idempotent_id('07dec492-7f19-4d94-a9d7-28c0643db1bc')
def test_manage_project_quotas(self):
# Confirm that there are no quotas
body = self.quota_client.list_quotas()
@@ -55,7 +63,7 @@
# Create a quota set for the test project
self.create_project_quota(
- self.quota_client.tenant_id,
+ self.quota_client.project_id,
project_quotas={
'secrets': 30,
'orders': 10,
@@ -69,7 +77,7 @@
self.assertEqual(1, len(body.get('project_quotas')), body)
project_quotas = body.get('project_quotas')[0]
self.assertEqual(
- self.quota_client.tenant_id,
+ self.quota_client.project_id,
project_quotas.get('project_id'),
body
)
@@ -80,7 +88,7 @@
# Verify that the quotas can be found via specific listing.
body = self.quota_client.get_project_quota(
- self.quota_client.tenant_id
+ self.quota_client.project_id
)
project_quotas = body.get('project_quotas')
self.assertEqual(30, project_quotas.get('secrets'), body)
@@ -88,7 +96,7 @@
self.assertEqual(20, project_quotas.get('containers'), body)
# Delete the project quota and confirm that it got deleted
- self.delete_project_quota(self.quota_client.tenant_id)
+ self.delete_project_quota(self.quota_client.project_id)
body = self.quota_client.list_quotas()
self.assertEqual(0, body.get('total'), body)
diff --git a/barbican_tempest_plugin/tests/rbac/v1/base.py b/barbican_tempest_plugin/tests/rbac/v1/base.py
index 0e7a774..b25e211 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/base.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/base.py
@@ -63,7 +63,7 @@
@classmethod
def skip_checks(cls):
super().skip_checks()
- if not CONF.barbican_rbac_scope_verification.enforce_scope:
+ if not CONF.enforce_scope.barbican:
raise cls.skipException("enforce_scope is not enabled for "
"barbican, skipping RBAC tests")
api_version_utils.check_skip_with_microversion(
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_containers.py b/barbican_tempest_plugin/tests/rbac/v1/test_containers.py
index 16d743f..dd2123c 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_containers.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_containers.py
@@ -13,6 +13,7 @@
from tempest import config
from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
from tempest.lib import exceptions
from barbican_tempest_plugin.tests.rbac.v1 import base
@@ -195,34 +196,40 @@
**self.test_consumer
)
+ @decorators.idempotent_id('1f0879ae-7e02-4d37-a37c-ee9bc11b40ef')
def test_list_containers(self):
self.assertRaises(
exceptions.Forbidden,
self.client.list_containers)
+ @decorators.idempotent_id('91406373-339d-4322-bf69-e2842564b9d1')
def test_create_container(self):
self.assertRaises(
exceptions.Forbidden,
self.client.create_container)
+ @decorators.idempotent_id('c2f5e209-82db-48c7-b11b-2719d3305753')
def test_get_container(self):
self.assertRaises(
exceptions.Forbidden,
self.client.get_container,
container_id=self.container_id)
+ @decorators.idempotent_id('af342d75-67de-4341-9e96-6a58c75a3226')
def test_delete_container(self):
self.assertRaises(
exceptions.Forbidden,
self.client.delete_container,
container_id=self.container_id)
+ @decorators.idempotent_id('baa049d5-72a3-4848-8997-a4abd43e00b3')
def test_get_container_acl(self):
self.assertRaises(
exceptions.Forbidden,
self.client.get_container_acl,
self.container_id)
+ @decorators.idempotent_id('6b330e3b-4696-496c-9d65-1cdff39439b9')
def test_update_container_acl(self):
self.assertRaises(
exceptions.Forbidden,
@@ -230,6 +237,7 @@
self.container_id,
self.valid_acl)
+ @decorators.idempotent_id('f78cd73f-e01f-47d3-be5a-83f56837efa1')
def test_create_container_acl(self):
self.assertRaises(
exceptions.Forbidden,
@@ -237,18 +245,21 @@
self.container_id,
self.valid_acl)
+ @decorators.idempotent_id('79ef4f66-4a77-44fd-b014-94c075c26bd6')
def test_delete_container_acl(self):
self.assertRaises(
exceptions.Forbidden,
self.client.delete_container,
self.container_id)
+ @decorators.idempotent_id('71b335fc-8cb6-4229-bd02-866df4ede926')
def test_list_container_consumers(self):
self.assertRaises(
exceptions.Forbidden,
self.consumer_client.list_consumers_in_container,
self.container_id)
+ @decorators.idempotent_id('7c64295e-5584-4673-99f8-a87275072f95')
def test_create_container_consumer(self):
self.assertRaises(
exceptions.Forbidden,
@@ -256,6 +267,7 @@
self.container_id,
**self.test_consumer)
+ @decorators.idempotent_id('f3dac21e-cfc2-4a97-bd0e-2a207241e9cf')
def test_delete_container_consumer(self):
self.assertRaises(
exceptions.Forbidden,
@@ -263,6 +275,7 @@
self.container_id,
**self.test_consumer)
+ @decorators.idempotent_id('96cfab13-67f6-488b-868d-f0609c26553a')
def test_add_secret_to_container(self):
self.assertRaises(
exceptions.Forbidden,
@@ -270,6 +283,7 @@
container_id=self.container_id,
secret_id=self.secret_id)
+ @decorators.idempotent_id('d9590a9d-a8be-481e-b50f-22f26973cba4')
def test_delete_secret_from_container(self):
self.assertRaises(
exceptions.Forbidden,
@@ -286,12 +300,14 @@
cls.client = cls.container_client
cls.consumer_client = cls.member_consumer_client
+ @decorators.idempotent_id('028f8858-d463-4f51-befc-63a350e87da2')
def test_list_containers(self):
resp = self.client.list_containers()
containers = resp['containers']
self.assertGreaterEqual(len(containers), 1)
+ @decorators.idempotent_id('db79462a-e6fd-44f5-9d4d-da3c7fda6896')
def test_create_container(self):
container_id = self.create_test_container(
self.client,
@@ -299,6 +315,7 @@
_ = self.container_client.get_container(container_id)
+ @decorators.idempotent_id('8d47fec6-487e-43a5-984d-0c3ef08d23e3')
def test_get_container(self):
resp = self.client.get_container(self.container_id)
@@ -306,6 +323,7 @@
self.container_id,
self.client.ref_to_uuid(resp['container_ref']))
+ @decorators.idempotent_id('3c96cec6-02c9-4cae-bea9-be11b22d21aa')
def test_delete_container(self):
self.client.delete_container(self.container_id)
@@ -314,6 +332,7 @@
for c in resp['containers']]
self.assertNotIn(self.container_id, container_ids)
+ @decorators.idempotent_id('64f5bc21-51b5-451a-932b-e6091bf113c3')
def test_add_secret_to_container(self):
self.client.add_secret_to_container(
container_id=self.container_id,
@@ -324,6 +343,7 @@
for sr in resp['secret_refs']]
self.assertIn(self.secret_id, secret_ids)
+ @decorators.idempotent_id('8efb0a35-9b6d-4bde-84f7-43a72ef86bf3')
def test_delete_secret_from_container(self):
self.client.add_secret_to_container(
self.container_id,
@@ -342,16 +362,19 @@
for sr in resp['secret_refs']]
self.assertNotIn(self.secret_id, secret_ids)
+ @decorators.idempotent_id('167a7fd7-3a08-4d9b-8e5f-2e0d438deea4')
def test_get_container_acl(self):
resp = self.client.get_container_acl(self.container_id)
self.assertIn('read', resp.keys())
+ @decorators.idempotent_id('072fd676-36da-44e5-ab53-29a0f1dfe3f1')
def test_create_container_acl(self):
_ = self.client.put_container_acl(self.container_id, self.valid_acl)
acl = self.client.get_container_acl(self.container_id)
self.assertIn(self.other_secret_client.user_id, acl['read']['users'])
+ @decorators.idempotent_id('f5fb9d69-5942-45a3-8c71-2d723e816d52')
def test_update_container_acl(self):
_ = self.client.put_container_acl(self.container_id, self.valid_acl)
acl = self.client.get_container_acl(self.container_id)
@@ -368,6 +391,7 @@
self.assertNotIn(self.other_secret_client.user_id,
acl['read']['users'])
+ @decorators.idempotent_id('03a94e74-13da-40d5-ac63-19e9e7552379')
def test_delete_container_acl(self):
_ = self.client.put_container_acl(self.container_id, self.valid_acl)
acl = self.client.get_container_acl(self.container_id)
@@ -378,12 +402,14 @@
acl = self.client.get_container_acl(self.container_id)
self.assertNotIn('users', acl['read'].keys())
+ @decorators.idempotent_id('7d171230-0ec5-443c-84df-ba79bea52064')
def test_list_container_consumers(self):
resp = self.consumer_client.list_consumers_in_container(
self.container_id
)
self.assertEqual(1, resp['total'])
+ @decorators.idempotent_id('a7f3b9cb-7be1-49bb-9505-e8b16e30b24f')
def test_create_container_consumer(self):
second_consumer = {
'name': 'another-test-consumer',
@@ -396,6 +422,7 @@
self.assertEqual(2, len(resp['consumers']))
+ @decorators.idempotent_id('b28e5ed5-797a-46fc-81c4-96a8bfa80757')
def test_delete_container_consumer(self):
resp = self.consumer_client.delete_consumer_from_container(
self.container_id,
@@ -442,10 +469,12 @@
self.other_container_client,
data_utils.rand_name('test-containers'))
+ @decorators.idempotent_id('23857de9-c335-4778-b10b-75191990e20c')
def test_list_containers(self):
"""This is not possible across projects"""
pass
+ @decorators.idempotent_id('cff55c34-fdca-44ab-a136-3b70c75fd8ff')
def test_create_container(self):
"""This is not possible across projects"""
pass
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_orders.py b/barbican_tempest_plugin/tests/rbac/v1/test_orders.py
index 964d95d..d054bc9 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_orders.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_orders.py
@@ -11,6 +11,7 @@
# limitations under the License.
import abc
+from tempest.lib import decorators
from tempest.lib import exceptions
from barbican_tempest_plugin.tests.rbac.v1 import base
@@ -89,9 +90,11 @@
super().setup_clients()
cls.client = cls.os_project_reader.secret_v1.OrderClient()
+ @decorators.idempotent_id('78c66385-c8ae-44a7-942e-5e1f87072198')
def test_list_orders(self):
self.assertRaises(exceptions.Forbidden, self.client.list_orders)
+ @decorators.idempotent_id('fa5f861d-a376-437d-ab88-b3eea9a20403')
def test_create_order(self):
self.assertRaises(
exceptions.Forbidden,
@@ -100,6 +103,7 @@
'create_orders_s'
)
+ @decorators.idempotent_id('39227b64-4d99-42ce-9acb-0fc4df2949ab')
def test_get_order(self):
order_id = self.create_test_order(self.order_client, 'test_get_order')
self.assertRaises(
@@ -107,6 +111,7 @@
self.client.get_order,
order_id=order_id)
+ @decorators.idempotent_id('ca5ef19c-19f3-45fd-a20d-920c1bb6414c')
def test_delete_order(self):
order_id = self.create_test_order(self.order_client,
'test_delete_order')
@@ -115,6 +120,7 @@
self.client.delete_order,
order_id=order_id)
+ @decorators.idempotent_id('9689c961-2b91-4d4d-b3f3-4f185e7ae1cc')
def test_get_other_project_order(self):
order_id = self.create_test_order(
self.other_order_client,
@@ -124,6 +130,7 @@
self.client.get_order,
order_id)
+ @decorators.idempotent_id('ee9d022c-90d5-427b-b430-b10323270a49')
def test_delete_other_project_order(self):
order_id = self.create_test_order(
self.other_order_client,
@@ -141,19 +148,23 @@
super().setup_clients()
cls.client = cls.os_project_member.secret_v1.OrderClient()
+ @decorators.idempotent_id('789262f2-34fd-46c3-824a-f780d5b5c603')
def test_list_orders(self):
_ = self.create_test_order(self.order_client, 'test_list_orders')
resp = self.client.list_orders()
self.assertGreaterEqual(len(resp['orders']), 1)
+ @decorators.idempotent_id('898154b7-b4e0-44d8-bf84-e87de5d0b48b')
def test_create_order(self):
self.create_test_order(self.client, 'create_orders_s')
+ @decorators.idempotent_id('798c715d-37fb-4c8b-89c5-e679b016fde7')
def test_get_order(self):
order_id = self.create_test_order(self.order_client, 'test_get_order')
resp = self.client.get_order(order_id)
self.assertEqual(order_id, self.client.ref_to_uuid(resp['order_ref']))
+ @decorators.idempotent_id('fe26f0a1-bcfe-449d-8fd1-ccc4c28f13c2')
def test_delete_order(self):
order_id = self.create_test_order(self.order_client,
'test_delete_order')
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_quotas.py b/barbican_tempest_plugin/tests/rbac/v1/test_quotas.py
index 16edc18..d02ee02 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_quotas.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_quotas.py
@@ -11,6 +11,7 @@
# limitations under the License.
import abc
+from tempest.lib import decorators
from tempest.lib import exceptions
from barbican_tempest_plugin.tests.rbac.v1 import base
@@ -117,22 +118,26 @@
super().setup_clients()
cls.client = cls.os_project_reader.secret_v1.QuotaClient()
+ @decorators.idempotent_id('936e480a-f603-4d9e-bc77-9a69ef05ac28')
def test_get_effective_project_quota(self):
resp = self.client.get_default_project_quota()
self.assertIn('quotas', resp)
+ @decorators.idempotent_id('528907ad-efd8-481e-b57e-7faed7198405')
def test_list_project_quotas(self):
self.assertRaises(exceptions.Forbidden, self.client.list_quotas)
+ @decorators.idempotent_id('948afb0d-35e8-4a23-880f-b2dc3eebf1bd')
def test_get_custom_quota_for_project(self):
- project_id = self.client.tenant_id
+ project_id = self.client.project_id
self.assertRaises(
exceptions.Forbidden,
self.client.get_project_quota,
project_id)
+ @decorators.idempotent_id('c29af3ed-561e-48da-8a1b-81ba19c943bb')
def test_set_new_quota_for_project(self):
- project_id = self.client.tenant_id
+ project_id = self.client.project_id
self.assertRaises(
exceptions.Forbidden,
self.client.create_project_quota,
@@ -144,22 +149,25 @@
}
)
+ @decorators.idempotent_id('7382fb20-01f6-4322-9ebc-5bf6038e3e1b')
def test_remove_custom_quota_for_project(self):
- project_id = self.client.tenant_id
+ project_id = self.client.project_id
self.assertRaises(
exceptions.Forbidden,
self.client.delete_project_quota,
project_id)
+ @decorators.idempotent_id('5d062790-6754-4d21-bd0c-08d4a74fa6f3')
def test_get_custom_quota_for_other_project(self):
- project_id = self.other_secret_client.tenant_id
+ project_id = self.other_secret_client.project_id
self.assertRaises(
exceptions.Forbidden,
self.client.get_project_quota,
project_id)
+ @decorators.idempotent_id('26bd25ab-92c2-4437-a742-f301703ce523')
def test_set_new_quota_for_other_project(self):
- project_id = self.other_secret_client.tenant_id
+ project_id = self.other_secret_client.project_id
self.assertRaises(
exceptions.Forbidden,
self.client.create_project_quota,
@@ -171,8 +179,9 @@
}
)
+ @decorators.idempotent_id('7a763152-c64b-42d5-9669-213681327c58')
def test_remove_custom_quota_for_other_project(self):
- project_id = self.other_secret_client.tenant_id
+ project_id = self.other_secret_client.project_id
self.assertRaises(
exceptions.Forbidden,
self.client.delete_project_quota,
@@ -193,3 +202,96 @@
def setup_clients(cls):
super().setup_clients()
cls.client = cls.os_project_admin.secret_v1.QuotaClient()
+
+ @decorators.idempotent_id('9099766d-96b3-448d-b400-3b08563d15fc')
+ def test_list_project_quotas(self):
+ quotas = self.client.list_quotas()
+ self.assertIn("project_quotas", quotas)
+
+ @decorators.idempotent_id('dc5125a6-bc94-4426-ba9d-03e2b03c81a8')
+ def test_get_custom_quota_for_project(self):
+ project_id = self.client.tenant_id
+ self.client.create_project_quota(
+ project_id,
+ project_quotas={
+ "secrets": 1000,
+ "orders": 1000,
+ "containers": 1000
+ })
+ quota = self.client.get_project_quota(project_id)
+ self.assertIn("project_quotas", quota)
+
+ @decorators.idempotent_id('6b169f51-9b17-4d05-aee8-849b94101246')
+ def test_set_new_quota_for_project(self):
+ project_id = self.client.tenant_id
+ self.client.create_project_quota(
+ project_id,
+ project_quotas={
+ "secrets": 1000,
+ "orders": 1000,
+ "containers": 1000
+ })
+ quota = self.client.get_project_quota(project_id)
+ self.assertIn("project_quotas", quota)
+
+ @decorators.idempotent_id('7a16b9d6-cfdc-4eb7-9e89-b824c612609e')
+ def test_remove_custom_quota_for_project(self):
+ project_id = self.client.tenant_id
+ self.client.create_project_quota(
+ project_id,
+ project_quotas={
+ "secrets": 1000,
+ "orders": 1000,
+ "containers": 1000
+ })
+ quota = self.client.get_project_quota(project_id)
+ self.assertIn("project_quotas", quota)
+ self.client.delete_project_quota(project_id)
+ self.assertRaises(
+ exceptions.NotFound,
+ self.client.get_project_quota,
+ project_id)
+
+ @decorators.idempotent_id('17936c5b-5e89-4717-9826-a22243b947cb')
+ def test_get_custom_quota_for_other_project(self):
+ project_id = self.other_secret_client.tenant_id
+ self.client.create_project_quota(
+ project_id,
+ project_quotas={
+ "secrets": 1000,
+ "orders": 1000,
+ "containers": 1000
+ })
+ quota = self.client.get_project_quota(project_id)
+ self.assertIn("project_quotas", quota)
+
+ @decorators.idempotent_id('d41c97e6-e77d-4bc4-a72d-b068294a0ef6')
+ def test_set_new_quota_for_other_project(self):
+ project_id = self.other_secret_client.tenant_id
+ self.client.create_project_quota(
+ project_id,
+ project_quotas={
+ "secrets": 1000,
+ "orders": 1000,
+ "containers": 1000
+ })
+ quota = self.client.get_project_quota(project_id)
+ self.assertIn("project_quotas", quota)
+
+ @decorators.idempotent_id('89fb47fd-bf05-4df0-bd47-282417c110b9')
+ def test_remove_custom_quota_for_other_project(self):
+ project_id = self.other_secret_client.tenant_id
+ self.client.create_project_quota(
+ project_id,
+ project_quotas={
+ "secrets": 1000,
+ "orders": 1000,
+ "containers": 1000
+ })
+ quota = self.client.get_project_quota(project_id)
+ self.assertIn("project_quotas", quota)
+ self.client.delete_project_quota(project_id)
+ self.assertRaises(
+ exceptions.NotFound,
+ self.client.get_project_quota,
+ project_id)
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_secret_metadata.py b/barbican_tempest_plugin/tests/rbac/v1/test_secret_metadata.py
index a8e61a7..72aa668 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_secret_metadata.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_secret_metadata.py
@@ -13,6 +13,7 @@
import abc
from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
from tempest.lib import exceptions
from barbican_tempest_plugin.tests.rbac.v1 import base
@@ -178,6 +179,7 @@
'foo',
'bar')
+ @decorators.idempotent_id('2dd1cb04-67e9-4c3c-a40e-12184eff5bc6')
def test_create_key_value_pair(self):
self.assertRaises(
exceptions.Forbidden,
@@ -187,6 +189,7 @@
'foo'
)
+ @decorators.idempotent_id('33c1d271-5367-4f0e-a2e7-c28ea1130fa6')
def test_put_secret_metadata(self):
meta = {
'foo': 'bar',
@@ -198,12 +201,14 @@
self.secret_id,
**meta)
+ @decorators.idempotent_id('8f22488b-52d5-4a28-ae32-faf1514ef390')
def test_get_secret_metadata(self):
self.assertRaises(
exceptions.Forbidden,
self.client.get_secret_metadata,
self.secret_id)
+ @decorators.idempotent_id('df6bbafc-f836-44b4-a0a7-3d0f94f5b9ac')
def test_update_secret_metadata_by_key(self):
self.assertRaises(
exceptions.Forbidden,
@@ -212,6 +217,7 @@
'foo',
'baz')
+ @decorators.idempotent_id('b2f3bafb-4a21-47da-966f-3e3010571596')
def test_get_secret_metadata_by_key(self):
self.assertRaises(
exceptions.Forbidden,
@@ -219,6 +225,7 @@
self.secret_id,
'foo')
+ @decorators.idempotent_id('0d80db72-fc6f-445f-b402-f86c91233b4f')
def test_delete_secret_metadata_by_key(self):
self.assertRaises(
exceptions.Forbidden,
@@ -226,6 +233,7 @@
self.secret_id,
'foo')
+ @decorators.idempotent_id('7c6223b6-5a2f-4989-ae54-db253702af98')
def test_create_key_value_pair_on_other_secret(self):
self.assertRaises(
exceptions.Forbidden,
@@ -235,6 +243,7 @@
'foo'
)
+ @decorators.idempotent_id('c1738dd5-e67a-4b48-8064-c198ca0a7970')
def test_put_secret_metadata_on_other_secret(self):
meta = {
'foo': 'bar',
@@ -246,12 +255,14 @@
self.other_secret_id,
**meta)
+ @decorators.idempotent_id('efb8d207-5418-4c3a-bb30-d1d5e1695c41')
def test_get_secret_metadata_from_other_secret(self):
self.assertRaises(
exceptions.Forbidden,
self.client.get_secret_metadata,
self.other_secret_id)
+ @decorators.idempotent_id('489d52ae-3324-420b-b69c-938f2eb41f6f')
def test_update_other_secret_metadata_by_key(self):
self.assertRaises(
exceptions.Forbidden,
@@ -260,6 +271,7 @@
'foo',
'baz')
+ @decorators.idempotent_id('f2cbaec3-94ff-4a9c-bc2d-4c728f46313b')
def test_get_other_secret_metadata_by_key(self):
self.assertRaises(
exceptions.Forbidden,
@@ -267,6 +279,7 @@
self.other_secret_id,
'foo')
+ @decorators.idempotent_id('fb581f6c-1d59-420c-b05b-227514c75789')
def test_delete_other_secret_metadata_by_key(self):
self.assertRaises(
exceptions.Forbidden,
@@ -282,6 +295,7 @@
super().setup_clients()
cls.client = cls.secret_metadata_client
+ @decorators.idempotent_id('73d4c9cc-b7ad-4706-bec4-e7dc70698711')
def test_create_key_value_pair(self):
resp = self.client.create_key_value_pair(
self.secret_id,
@@ -291,6 +305,7 @@
self.assertEqual('mykey', resp['key'])
self.assertEqual('foo', resp['value'])
+ @decorators.idempotent_id('f7178757-5ae4-4041-a57c-322f7665f055')
def test_put_secret_metadata(self):
test_meta = {
'foo': 'baz',
@@ -302,23 +317,27 @@
self.assertIn('bar', resp.keys())
self.assertEqual('baz', resp['foo'])
+ @decorators.idempotent_id('054348d4-c4b4-446a-ad98-c79f6de42eec')
def test_get_secret_metadata(self):
resp = self.client.get_secret_metadata(self.secret_id)
self.assertIn('foo', resp.keys())
self.assertEqual('bar', resp['foo'])
+ @decorators.idempotent_id('7ed07736-39e7-4c4f-b5c9-f59017f3e80b')
def test_update_secret_metadata_by_key(self):
self.client.update_secret_metadata(self.secret_id, 'foo', 'baz')
resp = self.secret_metadata_client.get_secret_metadata(self.secret_id)
self.assertEqual('baz', resp['foo'])
+ @decorators.idempotent_id('26160af4-ff17-4023-9238-a2a9dca9946c')
def test_get_secret_metadata_by_key(self):
resp = self.client.get_secret_metadata_by_key(self.secret_id, 'foo')
self.assertEqual('foo', resp['key'])
self.assertEqual('bar', resp['value'])
+ @decorators.idempotent_id('3740d6ec-304f-43ce-aa54-af62006715d8')
def test_delete_secret_metadata_by_key(self):
self.client.delete_secret_metadata_by_key(self.secret_id, 'foo')
self.assertRaises(
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py b/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py
index 6f0a00d..769c91d 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py
@@ -12,6 +12,7 @@
import abc
from tempest import config
+from tempest.lib import decorators
from tempest.lib import exceptions
from barbican_tempest_plugin.tests.rbac.v1 import base
@@ -92,11 +93,7 @@
@classmethod
def skip_checks(cls):
- """TODO(redrobot): Run this with multiple backends
-
- We need to set up the devstack plugin to use multiple backends
- so we can run these tests.
- """
+ super().skip_checks()
if not CONF.barbican_tempest.enable_multiple_secret_stores:
raise cls.skipException("enable_multiple_secret_stores is not "
"configured. Skipping RBAC tests.")
@@ -106,10 +103,12 @@
super().setup_clients()
cls.client = cls.os_project_member.secret_v1.SecretStoresClient()
+ @decorators.idempotent_id('bf31560c-42e5-4afc-b1d6-a3a8aa7773d3')
def test_list_secret_stores(self):
resp = self.do_request('list_secret_stores')
self.assertIn('secret_stores', resp)
+ @decorators.idempotent_id('28d8e43b-af38-4985-8f70-3c1098116561')
def test_get_secret_store(self):
resp = self.do_request('list_secret_stores')
secret_store_id = self.ref_to_uuid(
@@ -120,14 +119,29 @@
self.assertEqual(secret_store_id,
self.ref_to_uuid(resp['secret_store_ref']))
+ @decorators.idempotent_id('e97d0cbe-112c-490e-b3d7-02981161d471')
def test_get_global_secret_store(self):
resp = self.do_request('get_global_secret_store')
self.assertTrue(resp['global_default'])
+ @decorators.idempotent_id('c3554210-8960-4d09-a1ba-369b8df6ca1f')
def test_get_preferred_secret_store(self):
+ # First use project admin to set preferred secret store
+ resp = self.do_request('list_secret_stores')
+ secret_store_id = self.ref_to_uuid(
+ resp['secret_stores'][0]['secret_store_ref']
+ )
+ admin_client = self.os_project_admin.secret_v1.SecretStoresClient()
+ self.do_request('set_preferred_secret_store',
+ client=admin_client,
+ secret_store_id=secret_store_id)
+
+ # Check that other users in project can view the newly set
+ # preferred secret store
resp = self.do_request('get_preferred_secret_store')
self.assertEqual('ACTIVE', resp['status'])
+ @decorators.idempotent_id('ada28e3a-ec67-4994-9dde-410463d6d06e')
def test_set_preferred_secret_store(self):
resp = self.do_request('list_secret_stores')
secret_store_id = self.ref_to_uuid(
@@ -137,12 +151,13 @@
expected_status=exceptions.Forbidden,
secret_store_id=secret_store_id)
+ @decorators.idempotent_id('c3f52fd1-5d18-498f-81b2-45df5cb09a87')
def test_unset_preferred_secret_store(self):
resp = self.do_request('list_secret_stores')
secret_store_id = self.ref_to_uuid(
resp['secret_stores'][0]['secret_store_ref']
)
- self.do_request('unset_peferred_secret_store',
+ self.do_request('unset_preferred_secret_store',
expected_status=exceptions.Forbidden,
secret_store_id=secret_store_id)
@@ -154,6 +169,7 @@
super().setup_clients()
cls.client = cls.os_project_admin.secret_v1.SecretStoresClient()
+ @decorators.idempotent_id('c459deb6-6447-43c4-820b-384903e700cb')
def test_set_preferred_secret_store(self):
resp = self.do_request('list_secret_stores')
secret_store_id = self.ref_to_uuid(
@@ -165,6 +181,7 @@
self.assertEqual(secret_store_id,
self.ref_to_uuid(resp['secret_store_ref']))
+ @decorators.idempotent_id('d21ca9b6-b62e-43d1-9c9f-a6e16c939c01')
def test_unset_preferred_secret_store(self):
resp = self.do_request('list_secret_stores')
secret_store_id = self.ref_to_uuid(
@@ -172,11 +189,10 @@
)
self.do_request('set_preferred_secret_store',
secret_store_id=secret_store_id)
- self.do_request('unset_peferred_secret_store',
+ self.do_request('unset_preferred_secret_store',
secret_store_id=secret_store_id)
- resp = self.do_request('get_preferred_secret_store')
- self.assertEqual(secret_store_id,
- self.ref_to_uuid(resp['secret_store_ref']))
+ self.do_request('get_preferred_secret_store',
+ expected_status=exceptions.NotFound)
class ProjectReaderTests(ProjectMemberTests):
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py b/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py
index bdd56b2..aab76e1 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_secrets.py
@@ -17,6 +17,7 @@
from tempest import config
from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
from tempest.lib import exceptions
from barbican_tempest_plugin.tests.rbac.v1 import base as rbac_base
@@ -270,6 +271,7 @@
class ProjectReaderTests(ProjectReaderBase, BarbicanV1RbacSecrets):
+ @decorators.idempotent_id('e4dfbae6-faca-42a7-a06b-2655e29df193')
def test_create_secret(self):
"""Test add_secret policy."""
self.assertRaises(exceptions.Forbidden, self.client.create_secret)
@@ -285,6 +287,7 @@
payload_content_encoding="base64"
)
+ @decorators.idempotent_id('f2649794-10d2-4742-a81c-af78eb3d9c0e')
def test_list_secrets(self):
"""Test get_secrets policy."""
# create two secrets
@@ -308,6 +311,7 @@
# list all secrets
self.assertRaises(exceptions.Forbidden, self.client.list_secrets)
+ @decorators.idempotent_id('6a4cfca5-1841-49f4-ae1d-bbde0fa94bd7')
def test_delete_secret(self):
"""Test delete_secrets policy."""
sec = self.create_empty_secret_admin('secret_1')
@@ -319,6 +323,7 @@
secret_id=uuid
)
+ @decorators.idempotent_id('9c5b46b4-8f0b-4f75-b751-61ddf943fbf3')
def test_get_secret(self):
"""Test get_secret policy."""
sec = self.create_empty_secret_admin('secret_1')
@@ -329,6 +334,7 @@
secret_id=uuid
)
+ @decorators.idempotent_id('b2760216-e492-4081-b981-a5d40bcc6a0e')
def test_get_secret_payload(self):
"""Test get_secret payload policy."""
key, sec = self.create_aes_secret_admin('secret_1')
@@ -341,6 +347,7 @@
secret_id=uuid
)
+ @decorators.idempotent_id('64b4e2e7-0121-46e7-949f-34332efdec6f')
def test_put_secret_payload(self):
"""Test put_secret policy."""
sec = self.create_empty_secret_admin('secret_1')
@@ -355,6 +362,7 @@
secret_id=uuid, payload=key
)
+ @decorators.idempotent_id('5219c830-fe82-4f3b-9eda-e3b5e918ba60')
def test_get_other_project_secret(self):
other_secret_id = self.create_other_project_secret(
'get_other_secret',
@@ -364,6 +372,7 @@
self.client.get_secret_metadata,
other_secret_id)
+ @decorators.idempotent_id('dff3d49e-9e31-46bb-b069-d4c72f591718')
def test_get_other_project_secret_payload(self):
other_secret_id = self.create_other_project_secret(
'get_other_payload',
@@ -373,6 +382,7 @@
self.client.get_secret_payload,
other_secret_id)
+ @decorators.idempotent_id('fb2fe2a4-2ca9-4b64-b18f-cc0877eb27bc')
def test_put_other_project_secret_payload(self):
other_secret_id = self.create_other_project_secret('put_other_payload')
self.assertRaises(
@@ -381,6 +391,7 @@
other_secret_id,
'Shhhh... secret!')
+ @decorators.idempotent_id('fc2f42ec-6bf4-4121-9698-4f0a7d01d8f3')
def test_delete_other_project_secret(self):
other_secret_id = self.create_other_project_secret(
'get_other_payload',
@@ -390,12 +401,14 @@
self.client.delete_secret,
other_secret_id)
+ @decorators.idempotent_id('effafb29-fd10-41fb-9404-585af3de3602')
def test_get_secret_acl(self):
self.assertRaises(
exceptions.Forbidden,
self.client.get_secret_acl,
self.secret_id)
+ @decorators.idempotent_id('d5058429-4e98-43ac-bda4-8160b2b95ef7')
def test_put_secret_acl(self):
self.assertRaises(
exceptions.Forbidden,
@@ -403,6 +416,7 @@
self.secret_id,
self.valid_acl)
+ @decorators.idempotent_id('3350274a-b3f4-4178-927f-2591ef2dbea8')
def test_patch_secret_acl(self):
self.assertRaises(
exceptions.Forbidden,
@@ -410,18 +424,21 @@
self.secret_id,
self.valid_acl)
+ @decorators.idempotent_id('07104bf1-104b-4fa5-b855-82cba69bf24c')
def test_delete_secret_acl(self):
self.assertRaises(
exceptions.Forbidden,
self.client.delete_secret_acl,
self.secret_id)
+ @decorators.idempotent_id('434187eb-1dd2-4544-bb1e-6be0dca8cd25')
def test_get_other_secret_acl(self):
self.assertRaises(
exceptions.Forbidden,
self.client.get_secret_acl,
self.other_secret_id)
+ @decorators.idempotent_id('32312a70-8f02-4663-b7e0-4432950c2c11')
def test_put_other_secret_acl(self):
self.assertRaises(
exceptions.Forbidden,
@@ -429,6 +446,7 @@
self.other_secret_id,
self.valid_acl)
+ @decorators.idempotent_id('ad95395f-45b0-4b34-b92a-e6c25f90e798')
def test_patch_other_secret_acl(self):
self.assertRaises(
exceptions.Forbidden,
@@ -436,6 +454,7 @@
self.other_secret_id,
self.valid_acl)
+ @decorators.idempotent_id('1470e2fc-46ce-4d06-a11a-201e9b5950c6')
def test_delete_other_secret_acl(self):
self.assertRaises(
exceptions.Forbidden,
@@ -465,12 +484,14 @@
**self.test_consumer
)
+ @decorators.idempotent_id('be85626b-ca83-4c90-9bf0-b918b9de21b6')
def test_list_secret_consumers(self):
self.assertRaises(
exceptions.Forbidden,
self.secret_consumer_client.list_consumers_in_secret,
self.secret_id)
+ @decorators.idempotent_id('d7389369-62e9-4a25-b759-2a64f72fcba2')
def test_create_secret_consumer(self):
self.assertRaises(
exceptions.Forbidden,
@@ -478,6 +499,7 @@
self.secret_id,
**self.test_consumer)
+ @decorators.idempotent_id('dbfba5e4-cd52-4ce9-bf50-a7e933ce5dcc')
def test_delete_secret_consumer(self):
self.assertRaises(
exceptions.Forbidden,
@@ -493,6 +515,7 @@
super().setup_clients()
cls.client = cls.secret_client
+ @decorators.idempotent_id('69f24625-0d8a-4412-b9c2-5a96fc689c87')
def test_create_secret(self):
"""Test add_secret policy."""
self.client.create_secret(name='test_create_secret')
@@ -507,6 +530,7 @@
payload_content_encoding="base64"
)
+ @decorators.idempotent_id('ff89eaa4-0014-4935-80cf-f8b7970387e1')
def test_list_secrets(self):
"""Test get_secrets policy."""
# create two secrets
@@ -528,12 +552,14 @@
secrets = resp['secrets']
self.assertGreaterEqual(len(secrets), 2)
+ @decorators.idempotent_id('bffcf1e6-b9a2-43d8-b95c-b3683d6c4549')
def test_delete_secret(self):
"""Test delete_secrets policy."""
sec = self.create_empty_secret_admin('test_delete_secret_1')
uuid = self.client.ref_to_uuid(sec['secret_ref'])
self.client.delete_secret(uuid)
+ @decorators.idempotent_id('72a59d44-1967-44fc-84a1-157a7bf124fa')
def test_get_secret(self):
"""Test get_secret policy."""
sec = self.create_empty_secret_admin('test_get_secret')
@@ -541,6 +567,7 @@
resp = self.client.get_secret_metadata(uuid)
self.assertEqual(uuid, self.client.ref_to_uuid(resp['secret_ref']))
+ @decorators.idempotent_id('cb848266-0172-4f93-add3-9d6f41a3bc46')
def test_get_secret_payload(self):
"""Test get_secret payload policy."""
key, sec = self.create_aes_secret_admin('test_get_secret_payload')
@@ -550,6 +577,7 @@
payload = self.client.get_secret_payload(uuid)
self.assertEqual(key, base64.b64encode(payload))
+ @decorators.idempotent_id('f6c58ca1-50f2-4454-b3b2-b338a7dcf3cb')
def test_put_secret_payload(self):
"""Test put_secret policy."""
sec = self.create_empty_secret_admin('test_put_secret_payload')
@@ -564,10 +592,12 @@
payload = self.client.get_secret_payload(uuid)
self.assertEqual(key, base64.b64encode(payload))
+ @decorators.idempotent_id('63482006-18b5-40d3-82da-fdc078d6e5fe')
def test_get_secret_acl(self):
acl = self.client.get_secret_acl(self.secret_id)
self.assertIn("read", acl.keys())
+ @decorators.idempotent_id('915bdc2a-94d2-4835-a46e-a27f16ae57a2')
def test_put_secret_acl(self):
self.assertRaises(
exceptions.Forbidden,
@@ -580,6 +610,7 @@
resp = self.other_secret_client.get_secret_metadata(self.secret_id)
self.assertIn(self.secret_id, resp['secret_ref'])
+ @decorators.idempotent_id('d6128f75-e7af-43dc-bf43-cf5fdc5f83be')
def test_patch_secret_acl(self):
_ = self.client.put_secret_acl(self.secret_id, self.valid_acl)
acl = self.client.get_secret_acl(self.secret_id)
@@ -594,6 +625,7 @@
self.assertNotIn(self.other_secret_client.user_id,
acl['read']['users'])
+ @decorators.idempotent_id('d566f1ab-c318-42cc-80d9-1ff9178d2c63')
def test_delete_secret_acl(self):
_ = self.client.put_secret_acl(self.secret_id, self.valid_acl)
acl = self.client.get_secret_acl(self.secret_id)
@@ -612,12 +644,14 @@
super().setup_clients()
cls.secret_consumer_client = cls.member_secret_consumer_client
+ @decorators.idempotent_id('ca2bbfa3-90b2-4f4e-8e57-3a3562d202a6')
def test_list_secret_consumers(self):
resp = self.secret_consumer_client.list_consumers_in_secret(
self.secret_id
)
self.assertEqual(1, resp['total'])
+ @decorators.idempotent_id('86cadb1e-f748-4d99-9477-4d171d4e9240')
def test_create_secret_consumer(self):
second_consumer = {
'service': 'service2',
@@ -631,6 +665,7 @@
self.assertEqual(2, len(resp['consumers']))
+ @decorators.idempotent_id('f56c4c14-e8c7-4335-8d84-00f34355b53c')
def test_delete_secret_consumer(self):
resp = self.secret_consumer_client.delete_consumer_from_secret(
self.secret_id,
@@ -645,6 +680,18 @@
super().setup_clients()
cls.client = cls.admin_secret_client
+ def test_delete_other_project_secret(self):
+ other_secret_id = self.create_other_project_secret(
+ 'get_other_payload',
+ payload='loremipsumloremipsum')
+ self.client.delete_secret(other_secret_id)
+
+ def test_get_other_project_secret(self):
+ other_secret_id = self.create_other_project_secret(
+ 'get_other_secret',
+ payload='¡Muy secreto!')
+ self.client.get_secret_metadata(other_secret_id)
+
class ProjectAdminV1_1Tests(ProjectMemberV1_1Tests):
@@ -653,12 +700,15 @@
super().setup_clients()
cls.secret_consumer_client = cls.admin_secret_consumer_client
+ @decorators.idempotent_id('2da9bfb4-f53b-45c0-b8c9-f657ced99bd4')
def test_create_secret_consumer(self):
pass
+ @decorators.idempotent_id('2a4eaac5-76a1-48e2-b648-b1b02344130b')
def test_delete_secret_consumer(self):
pass
+ @decorators.idempotent_id('34e2ded6-30ea-4f8a-b4e1-3aecac8fdd49')
def test_list_secret_consumers(self):
pass
@@ -670,57 +720,75 @@
super().setup_clients()
cls.client = cls.secret_client
+ @decorators.idempotent_id('104f71f0-8099-43ae-b4d9-cce5781a79b9')
def test_create_secret(self):
pass
+ @decorators.idempotent_id('5a29b825-4f28-4733-90fa-579b63ae2b96')
def test_list_secrets(self):
pass
+ @decorators.idempotent_id('b637c7db-64a9-46c8-b322-c4d282e05164')
def test_delete_secret(self):
pass
+ @decorators.idempotent_id('8d0a7f54-61f3-432e-8f4b-c04945b40373')
def test_get_secret(self):
pass
+ @decorators.idempotent_id('1bc76c3a-a69e-4285-8f8e-f7bacd01fef8')
def test_get_secret_payload(self):
pass
+ @decorators.idempotent_id('c2f38e3d-cc52-43c0-9fb3-8065797c40da')
def test_put_secret_payload(self):
pass
+ @decorators.idempotent_id('be392729-af43-4aab-bbc7-43fcd5df9140')
def test_get_other_project_secret(self):
pass
+ @decorators.idempotent_id('cc021881-7fba-48a2-aa6e-68c426b382f9')
def test_get_other_project_secret_payload(self):
pass
+ @decorators.idempotent_id('e87f5e40-7bb3-4fc8-aa5a-23cc1a8850f5')
def test_put_other_project_secret_payload(self):
pass
+ @decorators.idempotent_id('ce878824-d424-4abb-8217-068c9a99333b')
def test_delete_other_project_secret(self):
pass
+ @decorators.idempotent_id('be04944b-b4e2-4f66-b58a-3d047c99d939')
def test_get_secret_acl(self):
pass
+ @decorators.idempotent_id('65ce0063-d6f1-463c-b752-d4871a9df684')
def test_put_secret_acl(self):
pass
+ @decorators.idempotent_id('81423acc-240c-46f0-8de9-4cf6ab5d4bc4')
def test_patch_secret_acl(self):
pass
+ @decorators.idempotent_id('d55d5798-c23f-4108-8005-963d350d9d41')
def test_delete_secret_acl(self):
pass
+ @decorators.idempotent_id('5490d517-ba6c-4e28-8712-07dbc9bb9ada')
def test_get_other_secret_acl(self):
pass
+ @decorators.idempotent_id('1ae61619-104a-4497-999c-00671335bc4f')
def test_put_other_secret_acl(self):
pass
+ @decorators.idempotent_id('5ec28567-111b-405f-93c9-ed5d4259e918')
def test_patch_other_secret_acl(self):
pass
+ @decorators.idempotent_id('65cfefb4-69a6-4f31-b8e1-defad1b57645')
def test_delete_other_secret_acl(self):
pass
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_transport_keys.py b/barbican_tempest_plugin/tests/rbac/v1/test_transport_keys.py
index 1984943..65a5c9b 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_transport_keys.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_transport_keys.py
@@ -11,6 +11,7 @@
# limitations under the License.
import abc
+from tempest.lib import decorators
from tempest.lib import exceptions
from barbican_tempest_plugin.tests.rbac.v1 import base
@@ -66,16 +67,19 @@
super().setup_clients()
cls.client = cls.os_project_member.secret_v1.TransportKeyClient()
+ @decorators.idempotent_id('dc647930-d89d-449c-8bf6-b0aff0cd95da')
def test_list_transport_keys(self):
resp = self.do_request('list_transport_keys')
self.assertIn('transport_keys', resp)
+ @decorators.idempotent_id('981d9ec3-7974-40ab-abf0-d19cd17311e0')
def test_create_transport_key(self):
self.do_request('create_transport_key',
expected_status=exceptions.Forbidden,
plugin_name='simple-crypto',
transport_key='???')
+ @decorators.idempotent_id('4d4d46df-ec90-4755-a6e3-aa0ff9204113')
def test_get_transport_key(self):
# TODO(redorobot):
# We need to sort out how system admins create keys before we
@@ -90,6 +94,7 @@
# self.assertEqual(transport_key_id, resp['transport_key_id'])
pass
+ @decorators.idempotent_id('aeae2541-af87-40d6-a4b6-767fcb7416d4')
def test_delete_transport_key(self):
# TODO(redorobot):
# We need to sort out how system admins create keys before we
@@ -112,6 +117,14 @@
super().setup_clients()
cls.client = cls.os_project_admin.secret_v1.TransportKeyClient()
+ @decorators.idempotent_id('bed9bace-9b44-448b-b68e-bff46c4c181e')
+ def test_create_transport_key(self):
+ transport_key = self.client.create_transport_key(
+ plugin_name="simple-crypto",
+ transport_key="UUUU-UUUU-IIII-DDDD"
+ )
+ self.assertIn("transport_key_ref", transport_key)
+
class ProjectReaderTests(ProjectMemberTests):
diff --git a/barbican_tempest_plugin/tests/scenario/manager.py b/barbican_tempest_plugin/tests/scenario/manager.py
index b7f8914..cb4e52c 100644
--- a/barbican_tempest_plugin/tests/scenario/manager.py
+++ b/barbican_tempest_plugin/tests/scenario/manager.py
@@ -16,7 +16,6 @@
from oslo_log import log
-from tempest.common import image as common_image
from tempest.common import waiters
from tempest import config
from tempest.lib.common.utils import data_utils
@@ -46,24 +45,16 @@
'name': name,
'container_format': fmt,
'disk_format': disk_format or fmt,
+ 'visibility': 'private'
}
- if CONF.image_feature_enabled.api_v1:
- params['is_public'] = 'False'
- params['properties'] = properties
- params = {'headers': common_image.image_meta_to_headers(**params)}
- else:
- params['visibility'] = 'private'
- # Additional properties are flattened out in the v2 API.
- params.update(properties)
+ # Additional properties are flattened out in the v2 API.
+ params.update(properties)
body = self.image_client.create_image(**params)
image = body['image'] if 'image' in body else body
self.addCleanup(self.image_client.delete_image, image['id'])
self.assertEqual("queued", image['status'])
with open(path, 'rb') as image_file:
- if CONF.image_feature_enabled.api_v1:
- self.image_client.update_image(image['id'], data=image_file)
- else:
- self.image_client.store_image_file(image['id'], image_file)
+ self.image_client.store_image_file(image['id'], image_file)
if CONF.image_feature_enabled.import_image:
available_stores = []
diff --git a/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py b/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
index e64952c..2f22329 100644
--- a/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
+++ b/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
@@ -11,6 +11,7 @@
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
from oslo_log import log as logging
from tempest.common import utils
@@ -79,6 +80,9 @@
@decorators.idempotent_id('6d354881-35a6-4568-94b8-2204bbf67b29')
@utils.services('compute', 'image')
+ @testtools.skipUnless(
+ CONF.image_signature_verification.certificate_validation,
+ "Image signature certificate validation is not enforced")
def test_signed_image_invalid_cert_boot_failure(self):
"""Test that Nova refuses to boot an unvalidated signed image.
diff --git a/barbican_tempest_plugin/tests/scenario/test_image_signing.py b/barbican_tempest_plugin/tests/scenario/test_image_signing.py
index 3e8cf05..d91726a 100644
--- a/barbican_tempest_plugin/tests/scenario/test_image_signing.py
+++ b/barbican_tempest_plugin/tests/scenario/test_image_signing.py
@@ -14,12 +14,18 @@
import testtools
from oslo_log import log as logging
+
from tempest.api.compute import base as compute_base
+from tempest.api.image import base
+
from tempest.common import utils
+from tempest.common import waiters
+
from tempest import config
from tempest import exceptions
from tempest.lib.common import api_version_utils
from tempest.lib import decorators
+from tempest.scenario import manager as tempest_manager
from barbican_tempest_plugin.tests.scenario import barbican_manager
@@ -142,3 +148,190 @@
self.assertFalse(any(x in img_meta for x in signature_props))
self.servers_client.delete_server(instance['id'])
+
+
+class ImageSigningVolumeTest(barbican_manager.BarbicanScenarioTest,
+ tempest_manager.EncryptionScenarioTest,
+ compute_base.BaseV2ComputeTest,
+ base.BaseV2ImageTest):
+ """Tests with signed volumes
+
+ The cinder image signature feature is on by default.
+ The set of operation is:
+ * Create signed volume or create encrypted signed volume
+ * Create and upload signed image
+ * Create instance
+ * Attach signed volume to instance
+ """
+
+ min_microversion = '2.1'
+
+ @classmethod
+ def skip_checks(cls):
+ super(ImageSigningVolumeTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.attach_encrypted_volume:
+ raise cls.skipException("Attach encrypted volumes not supported")
+ if not CONF.volume_feature_enabled.extend_attached_volume:
+ raise cls.skipException("Extend attached volume not supported")
+ if not CONF.volume_feature_enabled.extend_attached_encrypted_volume:
+ raise cls.skipException("Extend attached"
+ "encrypted volume not supported")
+ if not CONF.service_available.nova:
+ raise cls.skipException("Nova service not available")
+
+ def _create_encrypted_signed_volume(self,
+ encryption_provider,
+ volume_type,
+ key_size=256,
+ cipher='aes-xts-plain64',
+ control_location='front-end',
+ imageRef=None):
+
+ """Create an encrypted signed volume"""
+ volume_type = self.create_volume_type(name=volume_type)
+ self.create_encryption_type(type_id=volume_type['id'],
+ provider=encryption_provider,
+ key_size=key_size,
+ cipher=cipher,
+ control_location=control_location)
+ return self.create_volume(imageRef=imageRef,
+ volume_type=volume_type['name'])
+
+ def _volume_create(self, volume_type=None, img_uuid=str):
+ """Create extended signed volume or signed volume"""
+
+ # Create encrypted extended signed volume
+ if volume_type == 'encrypted':
+ volume = self._create_encrypted_signed_volume('luks',
+ volume_type='luks',
+ imageRef=img_uuid)
+ LOG.info("Create encrypted volume%s", volume)
+ waiters.wait_for_volume_resource_status(
+ self.volumes_client, volume['id'], 'available')
+ self.assertEqual(volume['encrypted'], True)
+ extend_size = volume['size'] * 2
+ self.volumes_client.extend_volume(volume_id=volume['id'],
+ new_size=extend_size)
+ LOG.info("Extend volume %s", volume)
+ waiters.wait_for_volume_resource_status(
+ self.volumes_client,
+ volume['id'], 'available')
+ resized_volume = self.volumes_client.show_volume(
+ volume['id'])['volume']
+ self.assertEqual(extend_size, resized_volume['size'])
+ return resized_volume
+
+ # Create signed volume
+ if img_uuid:
+ volume = self.create_volume(imageRef=img_uuid)
+ waiters.wait_for_volume_resource_status(
+ self.volumes_client, volume['id'], 'available')
+ LOG.info("Create volume from signed image %s", volume)
+ return volume
+
+ def _create_instance_attach_volume(self, img_uuid, resized_volume):
+ """Create instance and attach extended signed volume
+
+ The method follows these steps:
+ * Create instance from signed image
+ * Confirm the instance changes state to Active
+ * Attach encrypted or signed volume to instance
+ * Detach volume from instance
+ * Delete instance
+ """
+ # Create instance from signed image
+ instance = self.create_server(name='signed_img_server',
+ image_id=img_uuid,
+ wait_until='ACTIVE')
+ LOG.info("Create instance with signed image %s", instance)
+ instance_id = instance['id']
+
+ # Attach volume to instance
+ attachment = self.attach_volume(instance, resized_volume)
+ waiters.wait_for_volume_resource_status(self.volumes_client,
+ attachment['volumeId'],
+ 'in-use')
+ LOG.info("Attach volume %s to instance %s", resized_volume, instance)
+ self.assertEqual(img_uuid, instance['image']['id'])
+
+ instance_observed = \
+ self.servers_client.show_server(instance_id)['server']
+ self.assertEqual(
+ resized_volume['id'],
+ instance_observed['os-extended-volumes:volumes_attached'][0]['id'])
+
+ self.delete_server(instance_observed['id'])
+
+ @decorators.idempotent_id('72ca044d-39a4-4966-b302-f53a446d3e29')
+ @decorators.attr(type='slow')
+ @utils.services('compute', 'image', 'volume')
+ def test_extend_encrypted_signed_volume_attach_to_instance(self):
+ """Create volume from signed image, extend volume
+
+ and attach volume to instance.
+ Verify that volume can be created from signed image and had
+ image signature properties.
+ The test follows these steps:
+ * Create an asymmetric keypair
+ * Sign an image file with the private key
+ * Create a certificate with the public key
+ * Store the certificate in Barbican
+ * Store the signed image in Glance
+ * Create encrypted signed volume from image and resize volume
+ * Create instance from signed image
+ * Confirm the instance changes state to Active
+ * Attach encrypted signed volume to instance
+ * Detach volume from instance
+ * Delete instance
+ """
+ # Create an encrypted volume and extend volume
+ img_uuid = self.sign_and_upload_image()
+ resized_volume = self._volume_create(volume_type='encrypted',
+ img_uuid=img_uuid)
+ observed_image = self.images_client.show_image(img_uuid)
+ self.assertEqual(
+ resized_volume['volume_image_metadata']['signature_verified'],
+ 'True')
+ self.assertEqual(
+ resized_volume['volume_image_metadata']
+ ['img_signature_certificate_uuid'],
+ observed_image['img_signature_certificate_uuid'])
+ self._create_instance_attach_volume(img_uuid, resized_volume)
+
+ @decorators.idempotent_id('9f28ce2e-362e-46ec-bf56-aebce9cc49fb')
+ @decorators.attr(type='slow')
+ @utils.services('compute', 'image', 'volume')
+ def test_signed_volume_attach_to_instance(self):
+ """Create volume from signed image and attach volume to instance
+
+ Verify that volume can be created from signed image and had
+ image signature properties.
+ The test follows these steps:
+ * Create an asymmetric keypair
+ * Sign an image file with the private key
+ * Create a certificate with the public key
+ * Store the certificate in Barbican
+ * Store the signed image in Glance
+ * Create signed volume from image
+ * Create instance from signed image
+ * Confirm the instance changes state to Active
+ * Attach signed volume to instance
+ * Detach volume from instance
+ * Delete instance
+ """
+
+ # Create image
+ img_uuid = self.sign_and_upload_image()
+
+ # Create volume from signed image
+ volume = self._volume_create(img_uuid=img_uuid)
+ waiters.wait_for_volume_resource_status(self.volumes_client,
+ volume['id'], 'available')
+ observed_image = self.images_client.show_image(img_uuid)
+ self.assertEqual(
+ volume['volume_image_metadata']['signature_verified'],
+ 'True')
+ self.assertEqual(
+ volume['volume_image_metadata']['img_signature_certificate_uuid'],
+ observed_image['img_signature_certificate_uuid'])
+ self._create_instance_attach_volume(img_uuid, volume)
diff --git a/releasenotes/notes/consistent-enforce_scope-option-d3ddf50423e1efaa.yaml b/releasenotes/notes/consistent-enforce_scope-option-d3ddf50423e1efaa.yaml
new file mode 100644
index 0000000..903adcd
--- /dev/null
+++ b/releasenotes/notes/consistent-enforce_scope-option-d3ddf50423e1efaa.yaml
@@ -0,0 +1,5 @@
+---
+deprecations:
+ - |
+ The ``[barbican_rbac_scope_verification] enforce_scope`` option has been
+ deprecated in favor of the new ``[enforce_scope] barican`` option.
diff --git a/setup.cfg b/setup.cfg
index 110ab8e..77913d7 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -16,6 +16,8 @@
Programming Language :: Python :: 3
Programming Language :: Python :: 3.8
Programming Language :: Python :: 3.9
+ Programming Language :: Python :: 3.10
+ Programming Language :: Python :: 3.11
[files]
packages =