Commit Graph

127 Commits

Author SHA1 Message Date
Zuul 82b0e48639 Merge "Support files removed for CONF.scenario.img_dir option" 2024-03-08 19:41:19 +00:00
Douglas Mendizábal 26928121dd Update roles required for testing
This patch removes the hard-coded 'key-manager:service-admin' role from
the base test class because the role is not available in deployments
with the new Secure RBAC policies enabled.

There is only one test that still requires this role in the API quotas
tests, so we generate a dynamic user there and only use it in this
class.  This test is skipped when SRBAC is enabled.

Change-Id: I6fbfe43f821d9315e01d3bdfd6f5d4edf4e552b7
2024-03-07 10:41:47 -06:00
Douglas Mendizábal df30b93583 Fix barbican_tempest option group
This patch fixes a bug with the barbican_tempest option group that was
breaking tempest init by returning the wrong object.

Change-Id: Ia62c43fc67114c89be5f481dab2cb11df6ee82b0
2024-02-19 14:53:58 -05:00
Takashi Kajinami 8f696b3219 Fix image_signature_verification group not register properly
Change-Id: I32d4a5864c2cf9ec364167c6f7dada21a1a6bd46
2024-02-19 19:45:41 +00:00
Zuul f2b9c024cb Merge "Replace deprecated tenant_id property" 2024-02-09 15:52:26 +00:00
Zuul 8debdcb489 Merge "Use consistent naming for enforce_scope option" 2024-02-09 15:52:25 +00:00
Zuul 6852d1dce8 Merge "Barbican tempest missing IDs" 2024-01-31 05:55:04 +00:00
Zuul ef7c2f473a Merge "Tests with signed volumes" 2024-01-29 14:52:40 +00:00
Takashi Kajinami 39eb56d9c7 Use consistent naming for enforce_scope option
Tempest and a few other plugins such as manila-tempest-plugin registers
the option to enable scope enforcement tests in the [enforce_scope]
option. This renames the option so that this plugin follows that
standard.

Change-Id: Ibd6962947c64f04ff1948a19c4afe9f26d0b47bb
2024-01-24 12:33:05 +09:00
Lukas Piwowarski 6345b34ae2 Pause testing of multiple secret stores
There is an issue with multiple secret stores which is being tracked in
this launchpad [1]. This issue is blocking patches in
barbican-tempest-plugin. Let's remove the testing for multiple secret
stores until the bug gets resolved.

There was also an update of the secret:delete and secret:get policies
[2]. This patch updates the corresponding SRBAC tests so that we test
the policies correctly.

[1] https://bugs.launchpad.net/barbican/+bug/2043457
[2] https://review.opendev.org/c/openstack/barbican/+/884181

Related-Bug: #2043457
Change-Id: I86335a1cb54b6aa2f74e148416ef6af7c27fff61
2023-12-18 11:26:38 +01:00
Maxim Sava 5558bcb784 Tests with signed volumes
Scenario tests with encrypted volumes and non encrypted volumes

Change-Id: Ia06e95841e1582d7154fea0bef3e84614b58e1e7
2023-11-16 14:23:57 +02:00
jont33 962ab9bb53 Barbican tempest missing IDs
Several tests in the Barbican-tempest-plugin are missing idempotent IDs.

The check-uuid tool was used to ensure that all tests have an ID.

Closes-Bug: #2030965
Change-Id: Ice8a1c210e0ac2e50044f9a37e15b00fd9f306f4
2023-11-08 13:58:48 +00:00
cheyenneb 65ab20fc37 Support files removed for CONF.scenario.img_dir option
CONF.scenario.img_dir file has been removed along with any other
support files. Exception has been raised when a user passes an
img file that does not exist in the CONF.scenario.img_file.
Exceptions import has been added for lib_exc.

Closes-Bug: #2032948
Change-Id: I2b57dd4928ab3f6858909fc90b7865aac2d93da2
2023-11-01 11:46:12 -04:00
Ghanshyam Mann e5ed4b9f1e Remove Glance v1 APIs tests code
Glance v1 APIs were removed in Rocky and tempest master
does not support the Rocky release. If glance v1 APIs
needs to be tested for older release then older Tempest
can be used.

Tempest is removing the Glance v1 APIs tests, config option,
and its service clients and this change is needed for that.

Needed-By: https://review.opendev.org/c/openstack/tempest/+/890592
Change-Id: I0ef67e86730320755e6f642a36f97ab462fe0aad
2023-08-06 12:05:43 -07:00
Zuul e765946be1 Merge "Update rbac tests" 2023-06-07 18:15:34 +00:00
Zuul a31f9ef3a6 Merge "Modify test_get_effective_quota test" 2023-06-06 09:01:46 +00:00
Lukas Piwowarski 832692c4fb Modify test_get_effective_quota test
The test_get_effective_quotas test uses key-manager:service-admin
legacy role to get the effective quotas. Using a user with only this
role should lead to an ERROR in an SRBAC environment.

This patch changes the test so that it checks whether the ERROR
occurred when the test tried to get quotas in SRBAC environment.

Also, auth.tempest_roles = member was removed from tempest.conf
as it is not necessary and causes a failure of the modified
test and it might cause unwanted problems in the future.

Change-Id: Ib106f5e760d3a5253968e2fe13ec576107a98c74
2023-06-01 10:32:29 +00:00
Lukas Piwowarski d8047c2025 Enable test_secret_stores tests
This patch enables test_secret_stores tests in the SRBAC job. The tests
were previously fixed in this patch [1].

This change builds on the fix. It modifies the configuration of
the SRBAC job so that it is deployed with enabled multiple secret
stores.

[1] https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/883482

Change-Id: I60305a35528fd16ac4e995d11d6d0999a6440e44
2023-05-22 14:40:29 +00:00
Zuul 3868bbf3c9 Merge "Fix test_secret_stores tests" 2023-05-18 21:29:31 +00:00
Douglas Mendizábal b51b3f5b61 Update rbac tests
This patch updates the rbac tests for testing the policy updates that
removed the "system" scope and use "project" scope instead.

Depends-On: I3b781112fc6ced7b73196f973cefd6a30ef99dd3
Change-Id: I735cefe2b1cb4eb09c9770f0bdc738ffeee34f0e
2023-05-18 10:37:49 -05:00
Lukáš Piwowarski 26c700da60 Fix test_secret_stores tests
There were five minor issues with the test_secret_stores tests:

1) There is a typo in some test cases. They are calling
   unset_peferred_secret_store instead of unset_p<r>eferred_secret_store

2) Set and unset preferred secret stores API calls in the
   SecretStoresClient expect 200 response status code when in fact they
   should expect 204 instead [1].

3) test_get_preferred_secret_store test expects to get preferred
   secret store when in fact none is set for the project.

4) skip_checks() function did not call super's skip_checks()

5) test_set_unset_preferred_secret_store test expects to get preferred
   secret store for a project when there is no preferred secret store
   set for it.

[1] https://docs.openstack.org/barbican/rocky/api/reference/store_backends.html#post-v1-secret-stores-secret-store-id-preferred

Change-Id: Ic211ea87006662c5a24aef3d1b78a5aa85b5e35b
2023-05-18 14:35:53 +02:00
Zuul dba97635a1 Merge "Add enable_certificate_validation config option" 2023-05-04 08:42:21 +00:00
Lukáš Piwowarski bf80ee01bb Add enable_certificate_validation config option
This patch adds enable_certificate_validation config option. This option
can be used to skip tests that rely on image signature certificate
validation being enabled on the test environment
(test_signed_image_invalid_cert_boot_failure).

Change-Id: Id4134a2e87378487baa9e3d5f49e7ded48daa765
2023-05-03 14:47:45 +02:00
Lukáš Piwowarski b18a6bf265 Set a default region for clients
Clients initialized for tests.api.* tests do not have defined values
for region [1]. Because of that the clients connect to the first
available service endpoint that they find (see this line in
tempest [2]). This can cause issues when there are multiple endpoints
on a system for barbican (admin, internal, public).

This change sets a default value for key_manager.region config option
to 'regionOne' and ensures that clients defined on the side of
barbican-tempest-plugin are intialised with this value.

[1] https://opendev.org/openstack/barbican-tempest-plugin/src/branch/master/barbican_tempest_plugin/tests/api/base.py#L91
[2] https://opendev.org/openstack/tempest/src/branch/master/tempest/lib/auth.py#L586

Change-Id: Ic9ae00c663cca6b83dc961b984cf129d1c33afc4
2023-04-26 12:00:23 +02:00
Takashi Kajinami 00bd391ace Replace deprecated tenant_id property
The tenant_id property of RestClient in tempest was deprecated in
25.0.0. This replaces the deprecated property by the new project_id
property to avoid the following warning.

WARNING tempest.lib.common.rest_client [-] Deprecated: "tenant_id"
property is deprecated for removal, use "project_id" instead

Depends-on: https://review.opendev.org/c/openstack/tempest/+/707938
Change-Id: I1b690898f1c88244b9f9a68e67e2263058171c2f
2023-03-22 00:30:49 +09:00
Zuul 30e50ef9c8 Merge "Introduce a new test for "cve_2022_3100"" 2022-12-08 14:32:44 +00:00
millevy 46edcc5b05 Introduce a new test for "cve_2022_3100"
The exploit is that a malicious user with a Keystone account is able to decrypt
any secret as long as they know the secret's ID by using a specifically crafted
query string:
GET /v1/secrets/{secret-id}/payload?target.secret.read=read

Change-Id: I5e00a188268ef1c25eed8bf3a37197918e529427
2022-12-07 08:01:02 +00:00
Zuul dc14cae0eb Merge "Add skip for api tests" 2022-10-28 11:03:39 +00:00
Zuul 4e13ee201e Merge "Remove setup_clients method" 2022-10-20 10:44:05 +00:00
Zuul 6d76a0868c Merge "Remove secgroups related methods" 2022-10-20 10:44:03 +00:00
Zuul 2505d0d64f Merge "Remove nova_volume_attach & nova_volume_detach methods" 2022-10-20 10:44:02 +00:00
Zuul 5aab50bde0 Merge "Add skip for test_encrypted_cinder_volumes_cryptsetup" 2022-10-20 10:23:03 +00:00
Zuul 7bc1460285 Merge "Remove create_floating_ip & get_server_ip methods" 2022-10-19 20:43:07 +00:00
SofiiaAndriichenko 3fa54eb116 Add skip for api tests
Change-Id: I67d2596b32063df92092e58bb3803372b22d1492
2022-10-19 16:20:24 -04:00
Douglas Mendizábal a32eaf0dd8 Test secret access via ACL
This patch enhances the ACL test to ensure that "other" user is not able
to get a secret before being added to the ACL.

After adding the ACL for the user, we check again to ensure the ACL is
working as intended by allowing the user now in the ACL to access the
secret.

Change-Id: I0b4e1fc71c62376301858128dd2fbb75bd1fa602
2022-08-30 14:51:34 -05:00
Ade Lee 45dd131392 Add RBAC tests for secret consumers
Change-Id: I5eac8d6d82d0fee6105e3ba235e7aa13d4d519cc
2022-08-10 20:50:02 +00:00
Ade Lee 519aa80cab Add tests for secret consumers
This patch adds microversion support to the plugin.  It adds two new
configuration values in tempest.conf for selecting which tests to run.
See [1] for more details.

[1] https://docs.openstack.org/tempest/latest/microversion_testing.html

Depends-On: https://review.opendev.org/c/openstack/barbican/+/840712
Change-Id: Iba604f74fb645bec2f03fd4ffb771d8f051dccfe
2022-08-09 16:41:21 +00:00
Roman Popelka 5307114035 Remove setup_clients method
As tempest.scenario.manager was announced stable interface in Tempest 27.0.0[1]
it can be now reused in plugins.

Replaced methods:
    * setup_clients

Etherpad concerning this effort:
https://etherpad.opendev.org/p/tempest-scenario-manager-cleanup

[1] https://docs.openstack.org/releasenotes/tempest/v27.0.0.html#release-notes-27-0-0

Change-Id: Ib4df699fb7964b3f8e6d3b518a562acbaa3dd280
2022-07-13 15:52:07 +02:00
Roman Popelka 29541dcf25 Remove secgroups related methods
As tempest.scenario.manager was announced stable interface in Tempest 27.0.0[1]
it can be now reused in plugins.

Barbican tempest plugin still uses nova-network old interface for floating ip
related methods, this patch removes them and use tempests's ones which
already use neutron's interface.[2]

Replaced/Removed methods:
    * _default_security_group
    * _create_security_group
    * _create_loginable_secgroup_rule
    * _create_security_group_rule

Etherpad concerning this effort:
https://etherpad.opendev.org/p/tempest-scenario-manager-cleanup

[1] https://docs.openstack.org/releasenotes/tempest/v27.0.0.html#release-notes-27-0-0
[2] bbc9dd34f6

Change-Id: I7605fe11caa8ae5725e0c0583c623ebad73d40da
2022-07-13 15:49:32 +02:00
Roman Popelka ddfeb25152 Remove nova_volume_attach & nova_volume_detach methods
As tempest.scenario.manager was announced stable interface in Tempest
27.0.0[1] it can be now reused in plugins.

Replaced methods:
    * nova_volume_attach
    * nova_volume_detach

Etherpad concerning this effort:
https://etherpad.opendev.org/p/tempest-scenario-manager-cleanup

[1] https://docs.openstack.org/releasenotes/tempest/v27.0.0.html#release-notes-27-0-0

Change-Id: Ieb01041344ddc17b3bb4c34ada83a80d2fd612d9
2022-07-13 13:46:31 +00:00
Roman Popelka 0cc8bb6453 Remove create_floating_ip & get_server_ip methods
As tempest.scenario.manager was announced stable interface in Tempest 27.0.0[1] it can be now reused in plugins.

Barbican tempest plugin still uses nova-network old interface for floating ip related methods, this patch removes them and use tempests's ones which already use neutron's interface.[2]

Replaced methods:
	* create_floating_ip
	* get_server_ip

Etherpad concerning this effort:
https://etherpad.opendev.org/p/tempest-scenario-manager-cleanup

[1] https://docs.openstack.org/releasenotes/tempest/v27.0.0.html#release-notes-27-0-0
[2] 6428139de1

Change-Id: I7b048f78d0ee8fd2aae33134caa1a8034fa31031
2022-07-13 15:46:02 +02:00
Zuul 7336b9a1f1 Merge "Remove create_volume & create_volume_type methods" 2022-07-12 13:02:15 +00:00
Zuul 583a00a4e9 Merge "Remove create_timestamp & get_timestamp methods" 2022-07-12 13:02:13 +00:00
Zuul f654e3ef20 Merge "Remove get_remote_client method" 2022-07-12 13:01:41 +00:00
Zuul f4c25f5206 Merge "Remove create_server and rebuild_server methods" 2022-07-12 13:01:40 +00:00
Zuul e4b0683526 Merge "Fix the import of NotFound exception" 2022-07-01 20:19:30 +00:00
Zuul 2e5b896b64 Merge "Remove _create_port and create_keypair methods" 2022-07-01 20:10:22 +00:00
Luigi Toscano 4e9303e1bb Fix the import of NotFound exception
It is exported by tempest.lib.exceptions, not tempest.exceptions
(it was originally until 2015).

Change-Id: Ic8ef45bcb9518968d32872a93fc3381004d218ff
2022-06-24 11:37:34 +02:00
Roman Popelka 5ac56787cb Remove create_volume & create_volume_type methods
As tempest.scenario.manager was announced stable interface in Tempest 27.0.0[1] it can be now reused in plugins.

Replaced methods:
	* create_volume
	* create_volume_type

Etherpad concerning this effort:
https://etherpad.opendev.org/p/tempest-scenario-manager-cleanup

[1] https://docs.openstack.org/releasenotes/tempest/v27.0.0.html#release-notes-27-0-0

Change-Id: I183a0f8190bf7f336370732d8d08d1bb28ad2835
2022-03-17 10:19:42 +01:00
Roman Popelka 781850ab1d Remove create_timestamp & get_timestamp methods
As tempest.scenario.manager was announced stable interface in Tempest 27.0.0[1] it can be now reused in plugins.

Replaced methods:
	* create_timestamp
	* get_timestamp

Etherpad concerning this effort:
https://etherpad.opendev.org/p/tempest-scenario-manager-cleanup

[1] https://docs.openstack.org/releasenotes/tempest/v27.0.0.html#release-notes-27-0-0

Change-Id: Id6ba585c58c0e9b6564d85137fd00ae2a8954c06
2022-03-17 10:10:47 +01:00