Add credential generation for manager personas

Prepares credentials for domain manager and project manager personas,
required for RBAC tests in Keystone.

Related-Bug: https://review.opendev.org/c/openstack/keystone/+/924132
Change-Id: I2d133326eddb3cf70e2bb1711d8e20f4514f8fca
diff --git a/releasenotes/notes/add-manager-creds-49acd9192110c3e3.yaml b/releasenotes/notes/add-manager-creds-49acd9192110c3e3.yaml
new file mode 100644
index 0000000..a5d7984
--- /dev/null
+++ b/releasenotes/notes/add-manager-creds-49acd9192110c3e3.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add support for project manager and domain manager personas by adding
+    ``get_project_manager_creds`` and ``get_domain_manager_creds`` to
+    the ``DynamicCredentialProvider`` and ``PreProvisionedCredentialProvider``
+    classes of the common library.
diff --git a/tempest/lib/common/cred_provider.py b/tempest/lib/common/cred_provider.py
index 2da206f..93b9586 100644
--- a/tempest/lib/common/cred_provider.py
+++ b/tempest/lib/common/cred_provider.py
@@ -76,6 +76,10 @@
         return
 
     @abc.abstractmethod
+    def get_domain_manager_creds(self):
+        return
+
+    @abc.abstractmethod
     def get_domain_member_creds(self):
         return
 
@@ -92,6 +96,10 @@
         return
 
     @abc.abstractmethod
+    def get_project_manager_creds(self):
+        return
+
+    @abc.abstractmethod
     def get_project_member_creds(self):
         return
 
diff --git a/tempest/lib/common/dynamic_creds.py b/tempest/lib/common/dynamic_creds.py
index 6814373..6c90938 100644
--- a/tempest/lib/common/dynamic_creds.py
+++ b/tempest/lib/common/dynamic_creds.py
@@ -432,7 +432,7 @@
                         cred_type = [cred_type]
                     credentials = self._create_creds(
                         roles=cred_type, scope=scope, project_id=project_id)
-                elif credential_type in [['member'], ['reader']]:
+                elif credential_type in [['manager'], ['member'], ['reader']]:
                     credentials = self._create_creds(
                         roles=credential_type, scope=scope,
                         project_id=project_id)
@@ -492,6 +492,9 @@
     def get_domain_admin_creds(self):
         return self.get_credentials(['admin'], scope='domain')
 
+    def get_domain_manager_creds(self):
+        return self.get_credentials(['manager'], scope='domain')
+
     def get_domain_member_creds(self):
         return self.get_credentials(['member'], scope='domain')
 
@@ -504,6 +507,9 @@
     def get_project_alt_admin_creds(self):
         return self.get_credentials(['alt_admin'], scope='project')
 
+    def get_project_manager_creds(self):
+        return self.get_credentials(['manager'], scope='project')
+
     def get_project_member_creds(self):
         return self.get_credentials(['member'], scope='project')
 
diff --git a/tempest/lib/common/preprov_creds.py b/tempest/lib/common/preprov_creds.py
index 6d948cf..3ba7db1 100644
--- a/tempest/lib/common/preprov_creds.py
+++ b/tempest/lib/common/preprov_creds.py
@@ -353,6 +353,13 @@
         self._creds['domain_admin'] = domain_admin
         return domain_admin
 
+    def get_domain_manager_creds(self):
+        if self._creds.get('domain_manager'):
+            return self._creds.get('domain_manager')
+        domain_manager = self._get_creds(['manager'], scope='domain')
+        self._creds['domain_manager'] = domain_manager
+        return domain_manager
+
     def get_domain_member_creds(self):
         if self._creds.get('domain_member'):
             return self._creds.get('domain_member')
@@ -378,6 +385,13 @@
         # TODO(gmann): Implement alt admin hash.
         return
 
+    def get_project_manager_creds(self):
+        if self._creds.get('project_manager'):
+            return self._creds.get('project_manager')
+        project_manager = self._get_creds(['manager'], scope='project')
+        self._creds['project_manager'] = project_manager
+        return project_manager
+
     def get_project_member_creds(self):
         if self._creds.get('project_member'):
             return self._creds.get('project_member')
diff --git a/tempest/tests/lib/common/test_dynamic_creds.py b/tempest/tests/lib/common/test_dynamic_creds.py
index d3d01c0..4c2ea30 100644
--- a/tempest/tests/lib/common/test_dynamic_creds.py
+++ b/tempest/tests/lib/common/test_dynamic_creds.py
@@ -104,6 +104,14 @@
                           (200, {'tenant': {'id': id, 'name': name}}))))
         return tenant_fix
 
+    def _mock_domain_create(self, id, name):
+        domain_fix = self.useFixture(fixtures.MockPatchObject(
+            self.domains_client.DomainsClient,
+            'create_domain',
+            return_value=(rest_client.ResponseBody
+                          (200, {'domain': {'id': id, 'name': name}}))))
+        return domain_fix
+
     def _mock_list_roles(self, id, name):
         roles_fix = self.useFixture(fixtures.MockPatchObject(
             self.roles_client.RolesClient,
@@ -143,7 +151,8 @@
                               {'id': '1', 'name': 'FakeRole'},
                               {'id': '2', 'name': 'member'},
                               {'id': '3', 'name': 'reader'},
-                              {'id': '4', 'name': 'admin'}]}))))
+                              {'id': '4', 'name': 'manager'},
+                              {'id': '5', 'name': 'admin'}]}))))
         return roles_fix
 
     def _mock_list_ec2_credentials(self, user_id, tenant_id):
@@ -999,6 +1008,7 @@
     roles_client = v3_roles_client
     tenants_client = v3_projects_client
     users_client = v3_users_client
+    domains_client = domains_client
     token_client_class = token_client.V3TokenClient
     fake_response = fake_identity._fake_v3_response
     tenants_client_class = tenants_client.ProjectsClient
@@ -1263,3 +1273,47 @@
                 "member role already exists, ignoring conflict.")
         creds.creds_client.assign_user_role.assert_called_once_with(
             mock.ANY, mock.ANY, 'member')
+
+    @mock.patch('tempest.lib.common.rest_client.RestClient')
+    def test_project_manager_creds(self, MockRestClient):
+        creds = dynamic_creds.DynamicCredentialProvider(**self.fixed_params)
+        self._mock_list_roles('1234', 'manager')
+        self._mock_user_create('1234', 'fake_manager_user')
+        self._mock_tenant_create('1234', 'fake_manager_tenant')
+
+        user_mock = mock.patch.object(self.roles_client.RolesClient,
+                                      'create_user_role_on_project')
+        user_mock.start()
+        self.addCleanup(user_mock.stop)
+        with mock.patch.object(self.roles_client.RolesClient,
+                               'create_user_role_on_project') as user_mock:
+            manager_creds = creds.get_project_manager_creds()
+        user_mock.assert_has_calls([
+            mock.call('1234', '1234', '1234')])
+        self.assertEqual(manager_creds.username, 'fake_manager_user')
+        self.assertEqual(manager_creds.tenant_name, 'fake_manager_tenant')
+        # Verify IDs
+        self.assertEqual(manager_creds.tenant_id, '1234')
+        self.assertEqual(manager_creds.user_id, '1234')
+
+    @mock.patch('tempest.lib.common.rest_client.RestClient')
+    def test_domain_manager_creds(self, MockRestClient):
+        creds = dynamic_creds.DynamicCredentialProvider(**self.fixed_params)
+        self._mock_list_roles('1234', 'manager')
+        self._mock_user_create('1234', 'fake_manager_user')
+        self._mock_domain_create('1234', 'fake_manager_domain')
+
+        user_mock = mock.patch.object(self.roles_client.RolesClient,
+                                      'create_user_role_on_domain')
+        user_mock.start()
+        self.addCleanup(user_mock.stop)
+        with mock.patch.object(self.roles_client.RolesClient,
+                               'create_user_role_on_domain') as user_mock:
+            manager_creds = creds.get_domain_manager_creds()
+        user_mock.assert_has_calls([
+            mock.call('1234', '1234', '1234')])
+        self.assertEqual(manager_creds.username, 'fake_manager_user')
+        self.assertEqual(manager_creds.domain_name, 'fake_manager_domain')
+        # Verify IDs
+        self.assertEqual(manager_creds.domain_id, '1234')
+        self.assertEqual(manager_creds.user_id, '1234')
diff --git a/tempest/tests/lib/common/test_preprov_creds.py b/tempest/tests/lib/common/test_preprov_creds.py
index f2131dc..5a36f71 100644
--- a/tempest/tests/lib/common/test_preprov_creds.py
+++ b/tempest/tests/lib/common/test_preprov_creds.py
@@ -77,7 +77,13 @@
             {'username': 'test_admin2', 'project_name': 'test_tenant12',
              'password': 'p', 'roles': [admin_role]},
             {'username': 'test_admin3', 'project_name': 'test_tenant13',
-             'password': 'p', 'types': ['admin']}]
+             'password': 'p', 'types': ['admin']},
+            {'username': 'test_project_manager1',
+             'project_name': 'test_tenant14', 'password': 'p',
+             'roles': ['manager']},
+            {'username': 'test_project_manager2',
+             'tenant_name': 'test_tenant15', 'password': 'p',
+             'roles': ['manager']}]
 
     def setUp(self):
         super(TestPreProvisionedCredentials, self).setUp()
@@ -319,7 +325,7 @@
         calls = get_free_hash_mock.mock.mock_calls
         self.assertEqual(len(calls), 1)
         args = calls[0][1][0]
-        self.assertEqual(len(args), 10)
+        self.assertEqual(len(args), 12)
         for i in admin_hashes:
             self.assertNotIn(i, args)
 
@@ -431,6 +437,26 @@
             # Get one more
             test_accounts_class.get_admin_creds()
 
+    def test_get_project_manager_creds(self):
+        test_accounts_class = preprov_creds.PreProvisionedCredentialProvider(
+            **self.fixed_params)
+        p_manager_creds = test_accounts_class.get_project_manager_creds()
+        self.assertNotIn('test_admin', p_manager_creds.username)
+        self.assertNotIn('test_user', p_manager_creds.username)
+        self.assertIn('test_project_manager', p_manager_creds.username)
+
+    def test_get_project_manager_creds_none_available(self):
+        admin_accounts = [x for x in self.test_accounts if 'test_admin'
+                          in x['username']]
+        self.useFixture(fixtures.MockPatch(
+            'tempest.lib.common.preprov_creds.read_accounts_yaml',
+            return_value=admin_accounts))
+        test_accounts_class = preprov_creds.PreProvisionedCredentialProvider(
+            **self.fixed_params)
+        with testtools.ExpectedException(lib_exc.InvalidCredentials):
+            # Get one more
+            test_accounts_class.get_project_manager_creds()
+
 
 class TestPreProvisionedCredentialsV3(TestPreProvisionedCredentials):
 
@@ -480,4 +506,29 @@
             {'username': 'test_admin2', 'project_name': 'test_project12',
              'domain_name': 'domain', 'password': 'p', 'roles': [admin_role]},
             {'username': 'test_admin3', 'project_name': 'test_tenant13',
-             'domain_name': 'domain', 'password': 'p', 'types': ['admin']}]
+             'domain_name': 'domain', 'password': 'p', 'types': ['admin']},
+            {'username': 'test_project_manager1',
+             'project_name': 'test_project14', 'domain_name': 'domain',
+             'password': 'p', 'roles': ['manager']},
+            {'username': 'test_domain_manager1',
+             'domain_name': 'domain', 'password': 'p', 'roles': ['manager']}]
+
+    def test_get_domain_manager_creds(self):
+        test_accounts_class = preprov_creds.PreProvisionedCredentialProvider(
+            **self.fixed_params)
+        d_manager_creds = test_accounts_class.get_domain_manager_creds()
+        self.assertNotIn('test_admin', d_manager_creds.username)
+        self.assertNotIn('test_user', d_manager_creds.username)
+        self.assertIn('test_domain_manager', d_manager_creds.username)
+
+    def test_get_domain_manager_creds_none_available(self):
+        admin_accounts = [x for x in self.test_accounts if 'test_admin'
+                          in x['username']]
+        self.useFixture(fixtures.MockPatch(
+            'tempest.lib.common.preprov_creds.read_accounts_yaml',
+            return_value=admin_accounts))
+        test_accounts_class = preprov_creds.PreProvisionedCredentialProvider(
+            **self.fixed_params)
+        with testtools.ExpectedException(lib_exc.InvalidCredentials):
+            # Get one more
+            test_accounts_class.get_domain_manager_creds()