Enforce scope in RBAC testing

Ensure that the Barbican service is configured to use scoped
tokens when checking RBAC policy.

Depends-On: Id399d2220118efe1033426c658d1834cbff02f94

Change-Id: Id7aa02ea4862242fa34140166d634f30af721c22

.zuul.yaml

@@ -63,6 +63,7 @@
           $BARBICAN_CONF:
             oslo_policy:
               enforce_new_defaults: True
+              enforce_scope: True
         test-config:
           $TEMPEST_CONFIG:
             # FIXME(redrobot): Tempest errors out when you try to create a

barbican_tempest_plugin/tests/api/test_quotas.py

@@ -24,7 +24,7 @@ class QuotasTest(base.BaseKeyManagerTest):
     """Quotas API tests."""
 
     @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
-    def test_create_get_delete_quota(self):
+    def test_get_effective_quota(self):
         # Verify the default quota settings
         body = self.quota_client.get_default_project_quota()
         quotas = body.get('quotas')
@@ -34,6 +34,20 @@ class QuotasTest(base.BaseKeyManagerTest):
         self.assertEqual(-1, quotas.get('containers'))
         self.assertEqual(-1, quotas.get('consumers'))
 
+
+class ProjectQuotasTest(base.BaseKeyManagerTest):
+
+    @classmethod
+    def skip_checks(cls):
+        super().skip_checks()
+        if CONF.barbican_rbac_scope_verification.enforce_scope:
+            # These tests can't be run with the new RBAC rules because
+            # the APIs they're testing require system-scoped credentials
+            # instead of the project-scoped credentials used here.
+            raise cls.skipException("enforce_scope is enabled for barbican, "
+                                    "skipping project quota tests.")
+
+    def test_manage_project_quotas(self):
         # Confirm that there are no quotas
         body = self.quota_client.list_quotas()
         self.assertEqual(0, body.get('total'), body)