Enforce scope in RBAC testing
Ensure that the Barbican service is configured to use scoped
tokens when checking RBAC policy.
Depends-On: Id399d2220118efe1033426c658d1834cbff02f94
Change-Id: Id7aa02ea4862242fa34140166d634f30af721c22
diff --git a/.zuul.yaml b/.zuul.yaml
index 753b57b..be73dc7 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -63,6 +63,7 @@
$BARBICAN_CONF:
oslo_policy:
enforce_new_defaults: True
+ enforce_scope: True
test-config:
$TEMPEST_CONFIG:
# FIXME(redrobot): Tempest errors out when you try to create a
diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py
index cde33e3..2546249 100644
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@@ -24,7 +24,7 @@
"""Quotas API tests."""
@decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
- def test_create_get_delete_quota(self):
+ def test_get_effective_quota(self):
# Verify the default quota settings
body = self.quota_client.get_default_project_quota()
quotas = body.get('quotas')
@@ -34,6 +34,20 @@
self.assertEqual(-1, quotas.get('containers'))
self.assertEqual(-1, quotas.get('consumers'))
+
+class ProjectQuotasTest(base.BaseKeyManagerTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super().skip_checks()
+ if CONF.barbican_rbac_scope_verification.enforce_scope:
+ # These tests can't be run with the new RBAC rules because
+ # the APIs they're testing require system-scoped credentials
+ # instead of the project-scoped credentials used here.
+ raise cls.skipException("enforce_scope is enabled for barbican, "
+ "skipping project quota tests.")
+
+ def test_manage_project_quotas(self):
# Confirm that there are no quotas
body = self.quota_client.list_quotas()
self.assertEqual(0, body.get('total'), body)