When Tempest is used in customer site, often we are required to
provide a testcase list including testcase names and descriptions.
Now no this kind of doc is available, so we can add descriptions
with the format of doc string for every testcase, so later we
can generata such a testcase description list.
There are hundreds of testcases missing descriptions, so we can
add them gradually, and limit the modified files in one patch
for the convenience of reviewing.
Change-Id: Ifd23fd4cc442a3188a5a19b506694abffadea610
partially-implements: blueprint testcase-description
If the keystone user source is immutable, such as an LDAP
active directory implementation, tempest tests that try
to create or delete a user will fail. Instead of failing,
we would like them to skip. This change uses a testtools
decorator to avoid unnecessary modifications and allow those tests
to skip. In [1], I introduced the config setting that allows
this to happen.
[1] https://review.openstack.org/#/c/585536/
Change-Id: I786499204acdb929ee341e014bcb0459d2f27483
Partial-Bug: 1777047
allow_tenant_isolation option of auth and compute groups has been
deprecated over 3 years since I78a4884e980ef7d0103639cb3792a54c69fb7761.
So we have spended much enough time for removing them, this patch does.
Change-Id: I0b0a5e16a5e3785579f95f75fa149b311d918e8c
It could be confusing to new comers that the variables
cls.os and cls.os_primary or cls.alt_manager and cls.os_alt
actually are aliases. Besides we are not consistent in their usage.
This patch normalizes the usage around os_admin, os_primary and
os_alt. We keep the old aliases for compatibility but we should not
use them anymore.
This fix a long standing TODO item.
Change-Id: I5f7164f7a7ec5d4380ca22885000caa0183a0bf7
So many modules are using test.idempotent_id and this is for
switching to decorators.idempotent_id on identity.
Change-Id: I8c3ad6a3b20c6829c752f9fae5a27bd3e284c1b1
Related-Bug: #1616913
This is to do the same cleanup in identity as
Ie83d6533a6566a22ca78f9ea60a7be1c94531065,
when loop variable is not really used, then use
single underscore as the variable name.
Change-Id: I618c0dcc70bad8c0db7cea0e9783ab14e930452b
This patch adds a first set of tests for the PCI-DSS feature.
The tests included are related to:
- user account lockout
- password history requirements
It also fixes the behavior of the "test_users" API tests to
handle the environment with the PCI-DSS settings enabled.
We rely on the "security_compliance" feature flag, a follow
up patch in DevStack enables the required settings in
keystone at the same time that sets the configs for the tempest
tests and enables the feature flag.
Change-Id: I59fba9391f77dba026cce79d5fec9cb32c6bb72c
The _restore_password method within the
test_user_update_own_password() tests attempts to authenticate right
after changing a password. This patch makes it so that we wait one
second before attempt the authentication call, similar to the pattern
already established in the pre-existing test.
Change-Id: Ia51f28a70ae099f1ec93851d271db8556aced836
Dynamic credential providers generate TestResource objects, which
behave like Credentials but also include network resources.
We used to pass those directly into client managers, but that has
several issues: the interface of the client manager is confusing,
because it accepts two different type of objects in one parameter.
Having the client manager depending on the dynamic credential provider
is a problem because in turn that depends on the client manager,
which may lead to circular dependencies when trying to make those
stable interfaces for tempest.lib.
Finally TestResources seem to confused developers, since a number of tests
ignored the possibility of getting Credential fields from TestResources
directly, and went through the inner credentials atttribute.
I think the best approach for now is to pass auth.Credentials objects
only into the client manager. The client manager does not use the
network resources anyways.
We plan to refactor the link between credential provider and network
resources anyways, so it's better to have that outside of client
managers.
Change-Id: I71d4587bf0b640d05d0f78fb84364ce4d2d021f3
Partially-implements: bp client-manager-refactor
The current implementation uses object shallow copy to
get new credentials and clients to restore the password
after update, which is fragile and a bit complicated.
Using one client is enough. To restore the password
we clear auth to ensure a new token is requested, set the
new password temporarily, restore the password and finally
reset auth again.
Change-Id: I41f442ee89b1bd37dacb02b5ca276abd85981295
A note with time.sleep(1) were added for consistency like it is done
for the corresponding tests in [1]. Also, a few typos were fixed and
weird self.assertEqual(...)
subject_token = resp['x-subject-token']
...
self.assertEqual(resp['x-subject-token'], subject_token)
was deleted.
[1] https://review.openstack.org/#/c/275497/
Change-Id: I9cdd49a5361e21205a470da21d5cf69ce5b464bf
Keystone is moving to drop microsecond precision across the board
for consistency. This updates the comments to reflect that the sleep
is not a bug and expected.
Change-Id: I8beaeb4a94f0de1ad5d89df9ec77a1ae1b08a9d1
Closes-Bug: #1517697
Closes-Bug: #1513538
Now that tempest_lib code is copied back into tempest, stop using
tempest_lib in tempest, and start using the copied code.
Remove the dependency to tempest_lib from requirements, and drop
the script to use tempest_lib in tempest. Add os-testr to the
test-requirements.
Partially implements bp tempest-lib-reintegration
Change-Id: I21ab5fe6349f72c98ac9f960a29bf62e813f8b1b
Removes users client from identity client v2 into an own one.
Partially implements blueprint consistent-service-method-names
Change-Id: I2473fc29c68c763d02fe2d6ce59266e0eb84816d
As we discussed on
http://lists.openstack.org/pipermail/openstack-dev/2015-July/068864.html
All http POST/PUT methods need to contain **kwargs as their arguments.
This patch makes update_user_password, update_user_own_password,
enable_disable_user of v2 identity_client use **kwargs.
Partially implements blueprint consistent-service-method-names
Change-Id: I53fd646bbbee6d8de030d72f0c244c756e772e27
In a previous fix, Ied83448de8af1b0da9afdfe6ce9431438215bfe0, we applied a
sleep in order to mitigate a race condition in keystone with Fernet tokens.
This change moves that same concept to the tempest.api.identity.admin.v3 tests
so those pass with Fernet as well.
This change also separates the token from the v2 update user password response
in test_user_update_own_password() for the same reason. By isolating the token
from the update user call, we ensure we don't hit the same issue with the v2
update user password tests.
Change-Id: I34b7b7c34fa34551c0fdf9bdeb1ffaa432c10adc
Closes-Bug: 1473567
Related-Bug: 1517697
With Ied83448de8af1b0da9afdfe6ce9431438215bfe0 merging, we should be waiting
after the password is updated and before we reauthenticate. This change fixes
this to be correct. For some reason a transient failure didn't cause the tests
to fail.
Change-Id: I7286085325c3578958234176adb7588afdcac578
Closes-Bug: 1473567
This patch makes it so that there is a one second wait when changing a password
with Keystone. This is done because when we lose sub-second precision with
Fernet tokens there is the possibility of a token being issued and revoked
within the same second. Keystone will err on the side of security and return a
404 NotFound when validating a token that was issued in the same second as a
revocation event.
For example, it is possible for a revocation event to happen at .000001, but it
will be stored in MySQL as .000000 because of sub-second truncation. A token can
be created at .000002, but the creation time of that token, according to
Fernet, will be .000000, because Fernet tokens don't have sub-second precision.
When that token is validated, it will appear invalid even though it was created
*after* the revocation event.
Change-Id: Ied83448de8af1b0da9afdfe6ce9431438215bfe0
Closes-Bug: 1473567
This patch addresses other functions of identityv2 client which
are left out in https://review.openstack.org/#/c/216109/
partially implements: blueprint method-return-value-and-move-service-clients-to-lib
Change-Id: I804dce0ec4816ef8230207a1fad031e496fc1bce
Added test_user_update_own_password tests for Identity v2, v3
that test non admin user capability to change own password via
public identity client.
Tests check that after updating password token is revoked and
new token is valid; old password is invalid and new one is valid.
Change-Id: I4108312e01bbcacaa9ac6d6b9960ca0e75533f33
zhufl