The exploit is that a malicious user with a Keystone account is able to decrypt
any secret as long as they know the secret's ID by using a specifically crafted
query string:
GET /v1/secrets/{secret-id}/payload?target.secret.read=read
Change-Id: I5e00a188268ef1c25eed8bf3a37197918e529427
This patch is the first in a refactor of the cleanup logic in our
tests.
This patch adds a new `cleanup()` method to the SecretClient that
attempts to delete all the secrets it creates.
Moving the responsibility of tracking which secrets to clean up down
to the client allows us more flexibility when cleaning up the resources.
e.g. it should be fairly easy to clean up secrets across multiple projects
by just calling the new `cleanup()` method on each client used.
This patch will also allow us to get rid of the overloaded `do_request()`
method that is currently used as a proxy to the client to be able to track
entities.
The change also makes the test code more explicit and easier to read.
Change-Id: Id9be832a0f255410bd955d94c32001fec500f32f
This patch adds basic RBAC tests for the Orders resource for
the reader, member, and admin personas with project scope.
Change-Id: Ie5b7b6f7df20ec96e916232e70e9f61c7771f9d2
This patch adds a gate to test the new secure-rbac policy.
Currently, Tempest is unable to create system admin credentials
when the isolated networks option is set to true, so we disable
that option for this gate.
This patch also includes fixes needed to get the existing tests
to pass, as well as some skips for scenario tests that require
isolated networks.
We should be able to remove the skips once Tempest is fixed to
work with system admin.
Depends-On: I584f7b67f2f95caa7c4db3d9d9222d0a9d38442d
Change-Id: I0129ab6d15bc42d98a19e3551b8d009f9ad05e10
Remove six Replace the following items with Python 3 style code.
- six.moves.urllib
- six.binary_type
Change-Id: I234c3b205ee21b59953aa6ce7af5c2a1e4a6cfa6
This change adds all remaining methods of Barbican's
Secrets API resource to the Tempest plugin and
adds API tests for these methods.
Change-Id: Ia653de1221648ff5f028ebc22add423d0b7c2fe5
Depends-On: I930455c6ae1e1127706480f24c0ea46f5cc81e85
Implements: bp tempest-plugin
Add first API test and register the client with
the new tempest.lib client interface.
Change-Id: I27f15375c46faa48cd56c8d52ecfd585fb325239
Implements: bp tempest-plugin