Add enable_certificate_validation config option
This patch adds enable_certificate_validation config option. This option
can be used to skip tests that rely on image signature certificate
validation being enabled on the test environment
(test_signed_image_invalid_cert_boot_failure).
Related-PRODX: PRODX-35048
Change-Id: Id4134a2e87378487baa9e3d5f49e7ded48daa765
(cherry picked from commit ec5f58ab8f5ace2890aa11e5c30a37efe753aa84)
diff --git a/barbican_tempest_plugin/config.py b/barbican_tempest_plugin/config.py
index da78d15..76999b9 100644
--- a/barbican_tempest_plugin/config.py
+++ b/barbican_tempest_plugin/config.py
@@ -90,6 +90,10 @@
default=True,
help="Does the test environment enforce glance image "
"verification?"),
+ cfg.BoolOpt('certificate_validation',
+ default=True,
+ help="Does the test environment enforce image signature"
+ "certificate validation?")
]
barbican_rbac_scope_verification_group = cfg.OptGroup(
diff --git a/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py b/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
index e64952c..2f22329 100644
--- a/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
+++ b/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
@@ -11,6 +11,7 @@
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
from oslo_log import log as logging
from tempest.common import utils
@@ -79,6 +80,9 @@
@decorators.idempotent_id('6d354881-35a6-4568-94b8-2204bbf67b29')
@utils.services('compute', 'image')
+ @testtools.skipUnless(
+ CONF.image_signature_verification.certificate_validation,
+ "Image signature certificate validation is not enforced")
def test_signed_image_invalid_cert_boot_failure(self):
"""Test that Nova refuses to boot an unvalidated signed image.