This patch updates tests to expect "admin" personas to be able to access
credential endpoints. The relevant policies have been updated in
Keystone.
Change-Id: I54d0ae44a7f669734edcbd31cbc03e9ccf3d829e
A recent change merged in keystone that now allows domain-scoped
tokens to be used to list domains. [1]
This patch changes the tests in the DomainXXXTests classes to expect
the API calls to return without error instead of expecting them to
return 403 - Forbidden.
[1] dd785ee692
Change-Id: I97251f7f2974d3c562e59cc461294d9b040193ed
This patch updates the RBAC tests to test the new policy changes in
Keystone that allow users with the "admin" (aka root) role to access
system-level APIs previously available only to the system-admin persona.
The changes affect both the project-admin and domain-admin personas.
All the relevant policy changes have been made in keystone.
Depends-On: https://review.opendev.org/c/openstack/keystone/+/908524
Change-Id: I43c6da5bce9552948692eef8d71408d74382cc4e
This patch updates the jobs to reflect the latest suported branches for
keystone.
Test jobs for both antleope (2023.1) and bobcat (2023.2) have been
added, and the jobs for the xena and yoga branches have been removed as
they are no longer maintained.
This patch also makes the protection jobs non-voting as they are
expected to fail due to policy changes in keystone. A follow-up patch
fixes the test and re-enables the job.
Change-Id: I2d3968672eb4dd32a163827a7e24384578a4c913
There may be a need to run these tests with an existing user. This
checks the existing user flags and uses that information if they
are true. Defautls to false.
Change-Id: I5dfab4cfa2c55fd133ab7ad2d5235399865794ab
This adds tests to test getting a token (scoped and unscoped) when
keystone is configured to use oidc for authentication. The oidc
provider is keycloak. This is based in very large part on Kristi's
work in [1] and [2].
[1] https://github.com/knikolla/devstack-plugin-oidc
[2] https://github.com/CCI-MOC/onboarding-tools
Co-Authored-By: David Wilde <dwilde@redhat.com>
Change-Id: I1772b65f1cc3830ac293a800a79d044a6ab69d65
In 2023.1 cycle. we are moving the default distro
version of Ubuntu to Jammy (22.04)[1] so we need to pin
the nodeset for stable branch job in master gate so that
they continue run on their supporting distro version which is
Ubuntu Focal since stable/victoria.
[1] https://governance.openstack.org/tc/goals/selected/migrate-ci-jobs-to-ubuntu-jammy.html
Change-Id: I7d8027dd893e07581ca30053c4d6c8ba843b14d9
As zed is released, we should add its job on master
gate to keep branchless tempest plugins compatible
to stable branch.
Also, removing the stable/wallaby job as that is in EM
state.
Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html
Change-Id: I28117a37a41ac76ba5561a285e417882c2d6a5a1
we have stable/xena and stable/yoga also present
and supported so we should add their job on master
gate to keep branchless tempest plugins compatible
to stable branch.
This also removes the old EM stable branches which are
train, ussuri, and victoria jobs.
Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html
Change-Id: I3181e8a321aa36d06d00b0e96c2a7733a438aea3
This patch replaces Identity client default endpoint type,
which is set to 'adminURL', to use the 'v3_endpoint_type'
from identity configuration.
Related-Bug: #1959930
Change-Id: Iee1fe30420d5ec4721a444e3a10985b31ec23601
Signed-off-by: Douglas Viroel <dviroel@redhat.com>
We have stable/victoria and stable/wallaby released so we
should add their job on master gate to keep branchless
tempest plugins compatible to those branch.
This also removes the stable/stein job as that is in EM
state now.
Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html
Change-Id: Ic60d898969e730fcf1aebc4d103f06ec0baf24ed
This change leverages the nine default personas available in tempest[1]
to demonstrate a potential framework for testing default policies. An
abstract base class is created that helps set up credentials and
outlines every policy that needs to be tested, then nine subclasses are
created to test every persona. Each test represents one policy rule, and
some tests make multiple requests in order to test the policy from
different approaches, for example, to check what happens if a different
domain is specified, or what happens if the resource does not exist.
The idea here is to be very verbose and explicit about what is being
tested: every policy gets one test in the base class, and each persona
is tested in a subclass. The layout should be easy to understand and
someone reading the code should not be left guessing whether a case is
missing or if there is magic happening in the background that is causing
a false positive or false negative.
This is intended to replace the unittest protection tests currently
in place.
[1] https://review.opendev.org/686306 (this will require additional
devstack and keystone configuration to work properly in CI)
Depends-on: https://review.opendev.org/686306
Depends-on: https://review.opendev.org/699051
Depends-on: https://review.opendev.org/699519
Depends-on: https://review.opendev.org/700826
Depends-on: https://review.opendev.org/743853
Depends-on: https://review.opendev.org/744087
Depends-on: https://review.opendev.org/744268
Depends-on: https://review.opendev.org/731087
Change-Id: Icb5317b9297230490bd783fe9b07c8db244c06f8
This change is consistent with updates we landed in keystone:
fb86048d0a83cc6f2b5dcf78124ed12202902092
Change-Id: Ibd1d6624fc3addbe60c7218766d80cb43ad732bc
As per victoria cycle testing runtime and community goal[1]
we need to migrate upstream CI/CD to Ubuntu Focal(20.04).
Most of the Tempest jobs will be migrate automatically once devstack
base job start running on Focal(Depends-On).
Stable jobs testing stable branch needs to keep running on their supported
distro version which is bionic from stein till ussuri.
[1] https://governance.openstack.org/tc/goals/selected/victoria/migrate-ci-cd-jobs-to-ubuntu-focal.html
Change-Id: I8c7c12202e5fd024999bb2010bb483b0b2582346
Story: #2007865
Task: #40190
This change adds tempest clients for the registered limits and limits
APIs. While those APIs are experimental, it's best to start development
of the tempest tests in the keystone plugin rather than in tempest. This
base can be used for both developing exhaustive API tests for these APIs
as well as for RBAC tests.
Change-Id: I30b5b2ac5f10fd457e436df876f872432059b655
assertItemsEqual was removed from Python's unittest.TestCase in
Python 3.3 [1][2]. We have been able to use them since then, because
testtools required unittest2, which still included it. With testtools
removing Python 2.7 support [3][4], we will lose support for
assertItemsEqual, so we should switch to use assertCountEqual.
[1] - https://bugs.python.org/issue17866
[2] - https://hg.python.org/cpython/rev/d9921cb6e3cd
[3] - testing-cabal/testtools#286
[4] - testing-cabal/testtools#277
Change-Id: I2edc09748de1739c558040a8ae6a15373ad1a93b
Update docs building and cleanup a bit:
* Update requirements for Sphinx and openstackdocstheme for
python 3, create doc/requirements.txt for these
* Remove unneeded doc and translation sections from setup.cfg
* Remove install_command, it's unneeded, the default is fine,
move constraints into deps, use TOX_CONSTRAINTS instead of
obsolete UPPER_CONSTRAINTS
* Use new variables from updated openstackdocstheme
Change-Id: I659a8736195ff621032b4fb3bd7a72fa616cf8c6
This patch follows the sequence of adding addCleanup
just after creating a resource similar to whole
keystone-tempest-plugin repo. This is to avoid the
resource leakage issue if anything happen between
resource creation and addcleanup line.
Change-Id: I258c440417eaecb8f5ed4dc1e0eb6138edda883b
Do not use the admin user as a shadowed federated user for the K2K
tests. When trying to add expiring groups for the admin user, keystone
has trouble looking up the user in the cache and fails to add the groups
to the user. This sometimes results in test failures, which may be
masked as failure to clean up the identity provider in between tests and
resulting in a conflict trying to recreate it. This change instead uses
an ephemeral test user rather than the admin user, which is not meant to
be used for authentication tests anyway.
Change-Id: Ia4b53b41a0030772a2abdba949ad7529880d8f70
This patch add the jobs for stable/stein, stable/train and
stable/ussuri in keystone tempest plugin. Supported stable branch
use keystone-tempest-plugin master version to test them. Adding stable
job on master ensures that keystone-tempest-plugin master version is
compatible with stable branches testing.
Change-Id: I72bf38247f693a2efcdad2e64a8948023350ff53
Without this patch, the stable keystone branches fail the K2K tests
because they don't support the assertion feature added in #1687593 and
we don't intend to backport it. This change allows the stable branches
to still be tested using a regular static group mapping.
Change-Id: Ie1be1cc0e961a1584c99247f0c1b0032576718d8
This patch adds the test case for the adddtion of
"openstack_groups" to the idp assertion.
Depends-on: https://review.opendev.org/#/c/588211/
Change-Id: I5dd932b34a2a8d1013641e08eabfdac84bb4092e
There is a race condition when the test_service_providers_in_token
test is run at the same time as the k2k test because an extra SP
will appear in the list.
By checking items in the list individually instead of comparing
list equality this should fix the issue.
Change-Id: I13a7a747e108562b326aee1b88485a377530f8a5
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
The tempest plugin is used on older branches as well.
We really only need hacking on master anyways,
where we no longer support python 2, so here we
make the requirement specific to python 3.
Change-Id: Ia1a3c7cf9f48b30ca800c59078f38f2a22c1a0da
As per the community goal drop python2.7 [1], tempest is dropping
py3.5 and asked to drop from its plugins too.
[1]lists.openstack.org/pipermail/openstack-discuss/2020-February/012310.html
Change-Id: I40d40c58a77c58533da543d59cdb4549a1d20d45
Currently, the federation tests are non-voting because they require
connecting to an external service that is not under our control, and is
therefore unreliable. Non-voting tests are a problem because they are
often ignored even when their results are related to new changes. This
change adds a tempest config option
``[identity-feature-enabled]/external_idp``, defaulting to true for
backwards compatibility, which when disabled causes the tests that rely
on the external IdP to be disabled leaving only the K2K federation tests
to be executed. Exercising only the K2K tests is still a good means of
regression testing and we can safely make those tests voting.
Change-Id: I534470df7ca529511ab9a7631f167ec2035ab4be
Use sphinx-build instead of the pbr sphinx extention for building docs
as instructed by the PTI[1].
It fixes the header formatting for the index page, as the headers weren't
rendering at all.
[1] https://governance.openstack.org/tc/reference/pti/python.html
Change-Id: Ibac2b45ecfab4a7e575d097ecb9fc2c5e57b81cf