From 5d7c92e20463fb2ba9a508789b8e2d5a3ce78f0f Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen.murphy@suse.com>
Date: Fri, 13 Dec 2019 15:48:43 -0800
Subject: [PATCH] Add support for functional RBAC tests

Add support to the keystone devstack plugin for setting enforce_scope in
the keystone config and setting up tempest to test it.

It may be better to move this to tempest proper at some point.

See also: https://review.opendev.org/686073 https://review.opendev.org/698397

Change-Id: I1b71135547b7ce03afb5b44fbbab3f52d213a2ae
---
 devstack/lib/scope.sh | 26 ++++++++++++++++++++++++++
 devstack/plugin.sh    |  7 +++++++
 2 files changed, 33 insertions(+)
 create mode 100644 devstack/lib/scope.sh

diff --git a/devstack/lib/scope.sh b/devstack/lib/scope.sh
new file mode 100644
index 0000000000..05b605cd94
--- /dev/null
+++ b/devstack/lib/scope.sh
@@ -0,0 +1,26 @@
+# Copyright 2019 SUSE LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+function configure_enforce_scope {
+    iniset $KEYSTONE_CONF oslo_policy enforce_scope true
+    iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+    sudo systemctl restart devstack@keystone
+    oslopolicy-policy-generator --namespace keystone > /etc/keystone/policy.yaml
+}
+
+function configure_protection_tests {
+    iniset $TEMPEST_CONFIG identity-feature-enabled enforce_scope true
+    iniset $TEMPEST_CONFIG auth admin_system true
+    iniset $TEMPEST_CONFIG auth admin_project_name ''
+}
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 924b820b36..8f7a385357 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -15,6 +15,7 @@
 
 KEYSTONE_PLUGIN=$DEST/keystone/devstack
 source $KEYSTONE_PLUGIN/lib/federation.sh
+source $KEYSTONE_PLUGIN/lib/scope.sh
 
 # For more information on Devstack plugins, including a more detailed
 # explanation on when the different steps are executed please see:
@@ -47,6 +48,12 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
     if is_service_enabled keystone-saml2-federation; then
         configure_tests_settings
     fi
+    if [[ "$(trueorfalse False KEYSTONE_ENFORCE_SCOPE)" == "True" ]] ; then
+        # devstack and tempest assume enforce_scope is false, so need to wait
+        # until the final phase to turn it on
+        configure_enforce_scope
+        configure_protection_tests
+    fi
 fi
 
 if [[ "$1" == "unstack" ]]; then