This patch removes the hard-coded 'key-manager:service-admin' role from
the base test class because the role is not available in deployments
with the new Secure RBAC policies enabled.
There is only one test that still requires this role in the API quotas
tests, so we generate a dynamic user there and only use it in this
class. This test is skipped when SRBAC is enabled.
Change-Id: I6fbfe43f821d9315e01d3bdfd6f5d4edf4e552b7
This patch fixes a bug with the barbican_tempest option group that was
breaking tempest init by returning the wrong object.
Change-Id: Ia62c43fc67114c89be5f481dab2cb11df6ee82b0
stable/yoga and older branches are no longer supported by current
tempest so remove tests for these branches from gate.
Also fix the missing 2023.2 branch job.
Change-Id: I2feca9dba2e42e113277d5bca96188db092d098a
Tempest and a few other plugins such as manila-tempest-plugin registers
the option to enable scope enforcement tests in the [enforce_scope]
option. This renames the option so that this plugin follows that
standard.
Change-Id: Ibd6962947c64f04ff1948a19c4afe9f26d0b47bb
As per the current release tested runtime, we test
till python 3.11 so updating the same in python
classifier in setup.cfg
Change-Id: Iff08f2ae92b34a7ec9b1155e12e5e9854f3feb88
There is an issue with multiple secret stores which is being tracked in
this launchpad [1]. This issue is blocking patches in
barbican-tempest-plugin. Let's remove the testing for multiple secret
stores until the bug gets resolved.
There was also an update of the secret:delete and secret:get policies
[2]. This patch updates the corresponding SRBAC tests so that we test
the policies correctly.
[1] https://bugs.launchpad.net/barbican/+bug/2043457
[2] https://review.opendev.org/c/openstack/barbican/+/884181
Related-Bug: #2043457
Change-Id: I86335a1cb54b6aa2f74e148416ef6af7c27fff61
Several tests in the Barbican-tempest-plugin are missing idempotent IDs.
The check-uuid tool was used to ensure that all tests have an ID.
Closes-Bug: #2030965
Change-Id: Ice8a1c210e0ac2e50044f9a37e15b00fd9f306f4
CONF.scenario.img_dir file has been removed along with any other
support files. Exception has been raised when a user passes an
img file that does not exist in the CONF.scenario.img_file.
Exceptions import has been added for lib_exc.
Closes-Bug: #2032948
Change-Id: I2b57dd4928ab3f6858909fc90b7865aac2d93da2
Let's pin barbican-tempest-plugin for jobs that run code from branches in extended maintenance.
This change is required because these jobs install older version of tempest that does not contain all functions consumed by master barbicna-tempest-plugin.
Change-Id: Ia4a30d12de1a58b93a06979188e662edeef21ec6
Glance v1 APIs were removed in Rocky and tempest master
does not support the Rocky release. If glance v1 APIs
needs to be tested for older release then older Tempest
can be used.
Tempest is removing the Glance v1 APIs tests, config option,
and its service clients and this change is needed for that.
Needed-By: https://review.opendev.org/c/openstack/tempest/+/890592
Change-Id: I0ef67e86730320755e6f642a36f97ab462fe0aad
As 2023.1 is released, we should add its job on master
gate to keep branchless tempest plugins compatible
to stable branch.
Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html
Change-Id: I59f29bcbf667f6598b00022eff4088ed324f1610
The test_get_effective_quotas test uses key-manager:service-admin
legacy role to get the effective quotas. Using a user with only this
role should lead to an ERROR in an SRBAC environment.
This patch changes the test so that it checks whether the ERROR
occurred when the test tried to get quotas in SRBAC environment.
Also, auth.tempest_roles = member was removed from tempest.conf
as it is not necessary and causes a failure of the modified
test and it might cause unwanted problems in the future.
Change-Id: Ib106f5e760d3a5253968e2fe13ec576107a98c74
This patch enables test_secret_stores tests in the SRBAC job. The tests
were previously fixed in this patch [1].
This change builds on the fix. It modifies the configuration of
the SRBAC job so that it is deployed with enabled multiple secret
stores.
[1] https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/883482
Change-Id: I60305a35528fd16ac4e995d11d6d0999a6440e44
This patch updates the rbac tests for testing the policy updates that
removed the "system" scope and use "project" scope instead.
Depends-On: I3b781112fc6ced7b73196f973cefd6a30ef99dd3
Change-Id: I735cefe2b1cb4eb09c9770f0bdc738ffeee34f0e
There were five minor issues with the test_secret_stores tests:
1) There is a typo in some test cases. They are calling
unset_peferred_secret_store instead of unset_p<r>eferred_secret_store
2) Set and unset preferred secret stores API calls in the
SecretStoresClient expect 200 response status code when in fact they
should expect 204 instead [1].
3) test_get_preferred_secret_store test expects to get preferred
secret store when in fact none is set for the project.
4) skip_checks() function did not call super's skip_checks()
5) test_set_unset_preferred_secret_store test expects to get preferred
secret store for a project when there is no preferred secret store
set for it.
[1] https://docs.openstack.org/barbican/rocky/api/reference/store_backends.html#post-v1-secret-stores-secret-store-id-preferred
Change-Id: Ic211ea87006662c5a24aef3d1b78a5aa85b5e35b
This patch adds enable_certificate_validation config option. This option
can be used to skip tests that rely on image signature certificate
validation being enabled on the test environment
(test_signed_image_invalid_cert_boot_failure).
Change-Id: Id4134a2e87378487baa9e3d5f49e7ded48daa765
The tenant_id property of RestClient in tempest was deprecated in
25.0.0. This replaces the deprecated property by the new project_id
property to avoid the following warning.
WARNING tempest.lib.common.rest_client [-] Deprecated: "tenant_id"
property is deprecated for removal, use "project_id" instead
Depends-on: https://review.opendev.org/c/openstack/tempest/+/707938
Change-Id: I1b690898f1c88244b9f9a68e67e2263058171c2f
The exploit is that a malicious user with a Keystone account is able to decrypt
any secret as long as they know the secret's ID by using a specifically crafted
query string:
GET /v1/secrets/{secret-id}/payload?target.secret.read=read
Change-Id: I5e00a188268ef1c25eed8bf3a37197918e529427
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support. Removing the py36 centos8 job as well as
updating the python classifier also to reflect the same.
[1] https://governance.openstack.org/tc/reference/runtimes/zed.html
Change-Id: I0ae09def76d163190d79ccbff231c3d2e3ac16e0