Skip failing tests affected by minimum password age
Some identity api tests are failing, when keystone parameter
minimum_password_age is set to value greater than 0. It causes inability
to update user's password more than once per test suite. As in this test
suite it is required total of four times, this patch suggests skipping
these tests to avoid complicated workaround.
This bug has been discussed in several patches [1][2].
Additionaly, config option for user_minimum_password_age is added into
tempest/config.py, to allow users to work with this keystone parameter.
[1] https://review.opendev.org/c/openstack/tempest/+/806671
[2] https://review.opendev.org/c/openstack/tempest/+/838726
Related-Bug: #1946459
Change-Id: I418e4001b0aa27f10a78f3490cc233293c30c274
diff --git a/releasenotes/notes/add-keystone-config-opt-minimum-password-age-426e9d225f743137.yaml b/releasenotes/notes/add-keystone-config-opt-minimum-password-age-426e9d225f743137.yaml
new file mode 100644
index 0000000..06f993e
--- /dev/null
+++ b/releasenotes/notes/add-keystone-config-opt-minimum-password-age-426e9d225f743137.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - |
+ Adding a new config option `[identity]/user_minimum_password_age`
+ which allows to specify the number of days that a password must
+ be used before the user can change it. For this option to take
+ effect, identity-feature-enabled.security_compliance must be set
+ to True.
diff --git a/tempest/api/identity/v3/test_users.py b/tempest/api/identity/v3/test_users.py
index b95bd75..53814ad 100644
--- a/tempest/api/identity/v3/test_users.py
+++ b/tempest/api/identity/v3/test_users.py
@@ -88,6 +88,10 @@
'Skipped because environment has an '
'immutable user source and solely '
'provides read-only access to users.')
+ @testtools.skipIf(CONF.identity.user_minimum_password_age > 0,
+ 'Skipped because password cannot '
+ 'be changed immediately, resulting '
+ 'in failed password update.')
def test_user_update_own_password(self):
"""Test updating user's own password"""
old_pass = self.creds.password
@@ -116,6 +120,10 @@
'Skipped because environment has an '
'immutable user source and solely '
'provides read-only access to users.')
+ @testtools.skipIf(CONF.identity.user_minimum_password_age > 0,
+ 'Skipped because password cannot '
+ 'be changed immediately, resulting '
+ 'in failed password update.')
def test_password_history_check_self_service_api(self):
"""Test checking password changing history"""
old_pass = self.creds.password
diff --git a/tempest/config.py b/tempest/config.py
index a174fdd..5107726 100644
--- a/tempest/config.py
+++ b/tempest/config.py
@@ -199,8 +199,15 @@
"default value is 0 meaning disabling this feature. "
"NOTE: This config option value must be same as "
"keystone.conf: security_compliance.unique_last_password_"
- "count otherwise test might fail"
- ),
+ "count otherwise test might fail"),
+ cfg.IntOpt('user_minimum_password_age',
+ default=0,
+ help="The number of days that a password must be used before "
+ "the user can change it. This only takes effect when "
+ "identity-feature-enabled.security_compliance is set to "
+ "'True'. For more details, refer to keystone config "
+ "options "
+ "keystone.conf:security_compliance.minimum_password_age.")
]
service_clients_group = cfg.OptGroup(name='service-clients',