Add option to disable testing against external idp
Currently, the federation tests are non-voting because they require
connecting to an external service that is not under our control, and is
therefore unreliable. Non-voting tests are a problem because they are
often ignored even when their results are related to new changes. This
change adds a tempest config option
``[identity-feature-enabled]/external_idp``, defaulting to true for
backwards compatibility, which when disabled causes the tests that rely
on the external IdP to be disabled leaving only the K2K federation tests
to be executed. Exercising only the K2K tests is still a good means of
regression testing and we can safely make those tests voting.
Change-Id: I534470df7ca529511ab9a7631f167ec2035ab4be
diff --git a/keystone_tempest_plugin/config.py b/keystone_tempest_plugin/config.py
index 87872c5..d3e3c02 100644
--- a/keystone_tempest_plugin/config.py
+++ b/keystone_tempest_plugin/config.py
@@ -20,6 +20,11 @@
default=False,
help='Does the environment support the Federated Identity '
'feature?'),
+ cfg.BoolOpt('external_idp',
+ default=True,
+ help='Whether to test federated scenarios against an external '
+ 'identity provider. If disabled, only '
+ 'Keystone-to-Keystone tests will be enabled.'),
]
fed_scenario_group = cfg.OptGroup(name='fed_scenario',
diff --git a/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py b/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py
index 89af4ce..e930205 100644
--- a/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py
+++ b/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py
@@ -183,14 +183,10 @@
return resp
- @testtools.skipUnless(CONF.identity_feature_enabled.federation,
- "Federated Identity feature not enabled")
- def test_request_unscoped_token(self):
+ def _test_request_unscoped_token(self):
self._request_unscoped_token()
- @testtools.skipUnless(CONF.identity_feature_enabled.federation,
- "Federated Identity feature not enabled")
- def test_request_scoped_token(self):
+ def _test_request_scoped_token(self):
resp = self._request_unscoped_token()
token_id = resp.headers['X-Subject-Token']
@@ -203,6 +199,24 @@
project_id=projects[0]['id'], token=token_id)
+class TestSaml2FederatedExternalAuthentication(
+ TestSaml2EcpFederatedAuthentication):
+
+ @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+ "Federated Identity feature not enabled")
+ @testtools.skipUnless(CONF.identity_feature_enabled.external_idp,
+ "External identity provider is not available")
+ def test_request_unscoped_token(self):
+ self._test_request_unscoped_token()
+
+ @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+ "Federated Identity feature not enabled")
+ @testtools.skipUnless(CONF.identity_feature_enabled.external_idp,
+ "External identity provider is not available")
+ def test_request_scoped_token(self):
+ self._test_request_scoped_token()
+
+
class TestK2KFederatedAuthentication(TestSaml2EcpFederatedAuthentication):
def setUp(self):
@@ -253,3 +267,13 @@
self.auth_client.expected_success(200, resp.status)
return etree.XML(saml), self.sp_url
+
+ @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+ "Federated Identity feature not enabled")
+ def test_request_unscoped_token(self):
+ self._test_request_unscoped_token()
+
+ @testtools.skipUnless(CONF.identity_feature_enabled.federation,
+ "Federated Identity feature not enabled")
+ def test_request_scoped_token(self):
+ self._test_request_scoped_token()