Merge "Update rbac tests"
diff --git a/.zuul.yaml b/.zuul.yaml
index d60cc74..1f543fc 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -128,12 +128,19 @@
oslo_policy:
enforce_new_defaults: True
enforce_scope: True
+ secretstore:
+ enable_multiple_secret_stores: True
+ stores_lookup_suffix: simple_crypto
+ secretstore:simple_crypto:
+ secret_store_plugin: store_crypto
+ crypto_plugin: simple_crypto
+ global_default: true
test-config:
$TEMPEST_CONFIG:
- auth:
- tempest_roles: member
barbican_rbac_scope_verification:
enforce_scope: True
+ barbican_tempest:
+ enable_multiple_secret_stores: True
- job:
name: barbican-tempest-plugin-simple-crypto-secure-rbac-yoga
diff --git a/README.rst b/README.rst
index 6ee45c6..929d44f 100644
--- a/README.rst
+++ b/README.rst
@@ -22,4 +22,4 @@
Bugs
----
-Please report bugs to: https://storyboard.openstack.org/#!/project/openstack/barbican-tempest-plugin
+Please report bugs to: http://bugs.launchpad.net/barbican
diff --git a/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py b/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py
index cb5fd5e..6d3094c 100644
--- a/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py
+++ b/barbican_tempest_plugin/services/key_manager/json/secret_stores_client.py
@@ -49,12 +49,10 @@
def set_preferred_secret_store(self, secret_store_id):
uri = '/v1/secret-stores/{}/preferred'.format(secret_store_id)
- resp, body = self.post(uri)
- self.expected_success(200, resp.status)
- return json.loads(body.decode('UTF-8'))
+ resp, body = self.post(uri, None)
+ self.expected_success(204, resp.status)
def unset_preferred_secret_store(self, secret_store_id):
uri = '/v1/secret-stores/{}/preferred'.format(secret_store_id)
resp, body = self.delete(uri)
- self.expected_success(200, resp.status)
- return json.loads(body.decode('UTF-8'))
+ self.expected_success(204, resp.status)
diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py
index 2546249..7840406 100644
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@@ -16,6 +16,7 @@
from tempest import config
from tempest.lib import decorators
+from tempest.lib import exceptions
CONF = config.CONF
@@ -25,14 +26,22 @@
@decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
def test_get_effective_quota(self):
- # Verify the default quota settings
- body = self.quota_client.get_default_project_quota()
- quotas = body.get('quotas')
- self.assertEqual(-1, quotas.get('secrets'))
- self.assertEqual(-1, quotas.get('cas'))
- self.assertEqual(-1, quotas.get('orders'))
- self.assertEqual(-1, quotas.get('containers'))
- self.assertEqual(-1, quotas.get('consumers'))
+ if CONF.barbican_rbac_scope_verification.enforce_scope:
+ # This test is using key-manager:service-admin legacy
+ # role. User with only this role should get a Forbidden
+ # error when trying to get effective quotas in SRBAC
+ # environment.
+ self.assertRaises(
+ exceptions.Forbidden,
+ self.quota_client.get_default_project_quota)
+ else:
+ body = self.quota_client.get_default_project_quota()
+ quotas = body.get('quotas')
+ self.assertEqual(-1, quotas.get('secrets'))
+ self.assertEqual(-1, quotas.get('cas'))
+ self.assertEqual(-1, quotas.get('orders'))
+ self.assertEqual(-1, quotas.get('containers'))
+ self.assertEqual(-1, quotas.get('consumers'))
class ProjectQuotasTest(base.BaseKeyManagerTest):
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py b/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py
index 6f0a00d..6c12624 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_secret_stores.py
@@ -92,11 +92,7 @@
@classmethod
def skip_checks(cls):
- """TODO(redrobot): Run this with multiple backends
-
- We need to set up the devstack plugin to use multiple backends
- so we can run these tests.
- """
+ super().skip_checks()
if not CONF.barbican_tempest.enable_multiple_secret_stores:
raise cls.skipException("enable_multiple_secret_stores is not "
"configured. Skipping RBAC tests.")
@@ -125,6 +121,18 @@
self.assertTrue(resp['global_default'])
def test_get_preferred_secret_store(self):
+ # First use project admin to set preferred secret store
+ resp = self.do_request('list_secret_stores')
+ secret_store_id = self.ref_to_uuid(
+ resp['secret_stores'][0]['secret_store_ref']
+ )
+ admin_client = self.os_project_admin.secret_v1.SecretStoresClient()
+ self.do_request('set_preferred_secret_store',
+ client=admin_client,
+ secret_store_id=secret_store_id)
+
+ # Check that other users in project can view the newly set
+ # preferred secret store
resp = self.do_request('get_preferred_secret_store')
self.assertEqual('ACTIVE', resp['status'])
@@ -142,7 +150,7 @@
secret_store_id = self.ref_to_uuid(
resp['secret_stores'][0]['secret_store_ref']
)
- self.do_request('unset_peferred_secret_store',
+ self.do_request('unset_preferred_secret_store',
expected_status=exceptions.Forbidden,
secret_store_id=secret_store_id)
@@ -172,11 +180,10 @@
)
self.do_request('set_preferred_secret_store',
secret_store_id=secret_store_id)
- self.do_request('unset_peferred_secret_store',
+ self.do_request('unset_preferred_secret_store',
secret_store_id=secret_store_id)
- resp = self.do_request('get_preferred_secret_store')
- self.assertEqual(secret_store_id,
- self.ref_to_uuid(resp['secret_store_ref']))
+ self.do_request('get_preferred_secret_store',
+ expected_status=exceptions.NotFound)
class ProjectReaderTests(ProjectMemberTests):