Add enable_certificate_validation config option
This patch adds enable_certificate_validation config option. This option
can be used to skip tests that rely on image signature certificate
validation being enabled on the test environment
(test_signed_image_invalid_cert_boot_failure).
Related-PRODX: PRODX-35048
Change-Id: Id4134a2e87378487baa9e3d5f49e7ded48daa765
diff --git a/barbican_tempest_plugin/config.py b/barbican_tempest_plugin/config.py
index 7b79cb5..f71c9e4 100644
--- a/barbican_tempest_plugin/config.py
+++ b/barbican_tempest_plugin/config.py
@@ -64,6 +64,10 @@
default=True,
help="Does the test environment enforce glance image "
"verification?"),
+ cfg.BoolOpt('certificate_validation',
+ default=True,
+ help="Does the test environment enforce image signature"
+ "certificate validation?")
]
barbican_rbac_scope_verification_group = cfg.OptGroup(
diff --git a/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py b/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
index 403d6cc..67d80b0 100644
--- a/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
+++ b/barbican_tempest_plugin/tests/scenario/test_certificate_validation.py
@@ -11,6 +11,7 @@
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
from oslo_log import log as logging
from tempest.common import utils
@@ -79,6 +80,9 @@
@decorators.idempotent_id('6d354881-35a6-4568-94b8-2204bbf67b29')
@utils.services('compute', 'image')
+ @testtools.skipUnless(
+ CONF.image_signature_verification.certificate_validation,
+ "Image signature certificate validation is not enforced")
def test_signed_image_invalid_cert_boot_failure(self):
"""Test that Nova refuses to boot an unvalidated signed image.