This patch updates tests to expect "admin" personas to be able to access
credential endpoints. The relevant policies have been updated in
Keystone.
Change-Id: I54d0ae44a7f669734edcbd31cbc03e9ccf3d829e
A recent change merged in keystone that now allows domain-scoped
tokens to be used to list domains. [1]
This patch changes the tests in the DomainXXXTests classes to expect
the API calls to return without error instead of expecting them to
return 403 - Forbidden.
[1] dd785ee692
Change-Id: I97251f7f2974d3c562e59cc461294d9b040193ed
This patch updates the RBAC tests to test the new policy changes in
Keystone that allow users with the "admin" (aka root) role to access
system-level APIs previously available only to the system-admin persona.
The changes affect both the project-admin and domain-admin personas.
All the relevant policy changes have been made in keystone.
Depends-On: https://review.opendev.org/c/openstack/keystone/+/908524
Change-Id: I43c6da5bce9552948692eef8d71408d74382cc4e
There may be a need to run these tests with an existing user. This
checks the existing user flags and uses that information if they
are true. Defautls to false.
Change-Id: I5dfab4cfa2c55fd133ab7ad2d5235399865794ab
This adds tests to test getting a token (scoped and unscoped) when
keystone is configured to use oidc for authentication. The oidc
provider is keycloak. This is based in very large part on Kristi's
work in [1] and [2].
[1] https://github.com/knikolla/devstack-plugin-oidc
[2] https://github.com/CCI-MOC/onboarding-tools
Co-Authored-By: David Wilde <dwilde@redhat.com>
Change-Id: I1772b65f1cc3830ac293a800a79d044a6ab69d65
This patch replaces Identity client default endpoint type,
which is set to 'adminURL', to use the 'v3_endpoint_type'
from identity configuration.
Related-Bug: #1959930
Change-Id: Iee1fe30420d5ec4721a444e3a10985b31ec23601
Signed-off-by: Douglas Viroel <dviroel@redhat.com>
This change leverages the nine default personas available in tempest[1]
to demonstrate a potential framework for testing default policies. An
abstract base class is created that helps set up credentials and
outlines every policy that needs to be tested, then nine subclasses are
created to test every persona. Each test represents one policy rule, and
some tests make multiple requests in order to test the policy from
different approaches, for example, to check what happens if a different
domain is specified, or what happens if the resource does not exist.
The idea here is to be very verbose and explicit about what is being
tested: every policy gets one test in the base class, and each persona
is tested in a subclass. The layout should be easy to understand and
someone reading the code should not be left guessing whether a case is
missing or if there is magic happening in the background that is causing
a false positive or false negative.
This is intended to replace the unittest protection tests currently
in place.
[1] https://review.opendev.org/686306 (this will require additional
devstack and keystone configuration to work properly in CI)
Depends-on: https://review.opendev.org/686306
Depends-on: https://review.opendev.org/699051
Depends-on: https://review.opendev.org/699519
Depends-on: https://review.opendev.org/700826
Depends-on: https://review.opendev.org/743853
Depends-on: https://review.opendev.org/744087
Depends-on: https://review.opendev.org/744268
Depends-on: https://review.opendev.org/731087
Change-Id: Icb5317b9297230490bd783fe9b07c8db244c06f8
This change adds tempest clients for the registered limits and limits
APIs. While those APIs are experimental, it's best to start development
of the tempest tests in the keystone plugin rather than in tempest. This
base can be used for both developing exhaustive API tests for these APIs
as well as for RBAC tests.
Change-Id: I30b5b2ac5f10fd457e436df876f872432059b655
assertItemsEqual was removed from Python's unittest.TestCase in
Python 3.3 [1][2]. We have been able to use them since then, because
testtools required unittest2, which still included it. With testtools
removing Python 2.7 support [3][4], we will lose support for
assertItemsEqual, so we should switch to use assertCountEqual.
[1] - https://bugs.python.org/issue17866
[2] - https://hg.python.org/cpython/rev/d9921cb6e3cd
[3] - testing-cabal/testtools#286
[4] - testing-cabal/testtools#277
Change-Id: I2edc09748de1739c558040a8ae6a15373ad1a93b
This patch follows the sequence of adding addCleanup
just after creating a resource similar to whole
keystone-tempest-plugin repo. This is to avoid the
resource leakage issue if anything happen between
resource creation and addcleanup line.
Change-Id: I258c440417eaecb8f5ed4dc1e0eb6138edda883b
Do not use the admin user as a shadowed federated user for the K2K
tests. When trying to add expiring groups for the admin user, keystone
has trouble looking up the user in the cache and fails to add the groups
to the user. This sometimes results in test failures, which may be
masked as failure to clean up the identity provider in between tests and
resulting in a conflict trying to recreate it. This change instead uses
an ephemeral test user rather than the admin user, which is not meant to
be used for authentication tests anyway.
Change-Id: Ia4b53b41a0030772a2abdba949ad7529880d8f70
Without this patch, the stable keystone branches fail the K2K tests
because they don't support the assertion feature added in #1687593 and
we don't intend to backport it. This change allows the stable branches
to still be tested using a regular static group mapping.
Change-Id: Ie1be1cc0e961a1584c99247f0c1b0032576718d8
This patch adds the test case for the adddtion of
"openstack_groups" to the idp assertion.
Depends-on: https://review.opendev.org/#/c/588211/
Change-Id: I5dd932b34a2a8d1013641e08eabfdac84bb4092e
There is a race condition when the test_service_providers_in_token
test is run at the same time as the k2k test because an extra SP
will appear in the list.
By checking items in the list individually instead of comparing
list equality this should fix the issue.
Change-Id: I13a7a747e108562b326aee1b88485a377530f8a5
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
The tempest plugin is used on older branches as well.
We really only need hacking on master anyways,
where we no longer support python 2, so here we
make the requirement specific to python 3.
Change-Id: Ia1a3c7cf9f48b30ca800c59078f38f2a22c1a0da
Currently, the federation tests are non-voting because they require
connecting to an external service that is not under our control, and is
therefore unreliable. Non-voting tests are a problem because they are
often ignored even when their results are related to new changes. This
change adds a tempest config option
``[identity-feature-enabled]/external_idp``, defaulting to true for
backwards compatibility, which when disabled causes the tests that rely
on the external IdP to be disabled leaving only the K2K federation tests
to be executed. Exercising only the K2K tests is still a good means of
regression testing and we can safely make those tests voting.
Change-Id: I534470df7ca529511ab9a7631f167ec2035ab4be
During the federation test, when creating an identity provider, a
new domain will be created as well. This auto generated domain
should be cleaned up when test exit.
Depends-on: https://review.openstack.org/#/c/628132/
Change-Id: I6dcd0a0154c8658585a98ae138825881fe51d664
Function 'tempest.test.attr()' has moved to 'tempest.lib.decorators
.attr()' in Pike and will be removed in a future version[1].
This patch replaces the 'tempest.test.attr()' with the 'tempest.lib
.decorators.attr().'
[1] Iaafbb112b6eee458089cc49918359a8a8d0485e2
Change-Id: I52289f8915c05c338b46dce5df7e7d674846916a
Tempest plugin tests uses the same config file/object from the
upstream tempest, therefore instead of registering the same group
again in plugin tests we should reuse already existing groups and
register only plugin specific option here.
Change-Id: I948fdcf20732b98d5ba5d34fe0352ea9cff59f91
Closes-Bug: #1659596
keystone/token/providers/fernet/token_formatters.py
* decode payload[2] from bytes to string before comparing
with a string (CONF.identity.default_domain_id)
keystone_tempest_plugin/services/identity/clients.py
keystone_tempest_plugin/services/identity/v3/auth_client.py
keystone_tempest_plugin/services/identity/v3/identity_providers_client.py
* decode the response body from bytes to string before we
try to parse the json using json.loads
Change-Id: I98053bc498d78c5f0076a66e725ff2d634f5b663
This should fix our gate. We should continue the work to remove
the dependencies from any module that isn't at tempest.lib.
Change-Id: I2158d1971a4187171a89169c3f324453f0ec13be
For some reason the third-party imports were divided into two
separate groups. This commit combines them to follow the convention
established throughout the rest of the project.
Change-Id: Ice1a681938aef96d0d289a83cadc1cde2f12eb1e
Adds a first test for the federated authentication feature. It handles
first the authentication using the SAML2 ECP profile.
The tests cleanup have some issues, see related bug.
Related-Bug: 1642692
Change-Id: I3b393a695c6d9f846efdaf302c1beea34e6bd54b
This patch validates that a mapping exists when adding or updating
a federation protocol.
Change-Id: I996f94d26eb0f2c679542ba13a03bbaa4442486a
Closes-Bug: #1571878
keystone.common.config is 1200+ lines of super dense, merge-conflict
prone, difficult to navigate, and finicky to maintain code. Let's follow
nova's lead and break it down into more manageable modules.
This patch creates a new Python package, keystone.conf, and moves all of
our configuration options into it, mirroring nova's nova.conf package.
There are a couple special modules in keystone.conf introduced here as
well:
- keystone.conf.__init__: This causes all of Keystone options to be
registered on import, so consumers of keystone.conf don't have
races with config initialization code while trying to use
oslo_config.cfg.CONF directly (keystone.conf replaces all uses for
oslo_config.cfg.CONF in keystone).
- keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer
this to be called 'default.py', but I'm just copying nova's lead here.
- keystone.conf.opts: The entry point for oslo.config itself.
- keystone.conf.constants: There are a few constants (deprecation
messages, default paths, etc) that are used by multiple configuration
modules, so they need to live in a common place.
Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
This patch does a cleanup and fixes some nits found by reviewers
in the original patches [1], some of them are:
- import json instead of jsonutils
- use six.moves.http_client
- put common logic on clients superclass
- use "fails" to indicate negative cases
- stronger comparison in update tests
[1] https://review.openstack.org/#/q/topic:federation_integration_tests
Change-Id: I216fc5d4758e7b09d167d9d26271ddd149c66816
This patch adds the tests related to protocols/mappings
in the Identity Provider API (part of the Federated
Identity API)
Change-Id: I5e2573a175edbaf6f7a1bb73f3e0a86deeb94f1d
This patch adds the tests for the Mappings API (part of the
Federated Identity API).
The tests added here are not intended to cover all negative and
corner cases, they are rather testing the API in a higher level
and its integration in a working environment.
Change-Id: If245a12a407f960a7ad5f73aa7af717229976ea2
This patch adds the tests for the Service Provider API (part of
the Federated Identity API).
To run the tests install keystone and run (in tempest):
$ tox -e all-plugin -- keystone
Change-Id: I6d6f44736e4187dd2a500c7c0b6715e52296a9b3
The method has changed from get_configured_credentials to
get_configured_admin_credentials.
This is one of the parts imported directly from tempest
(not tempest.lib) so there is no "care" in keeping it stable.
Change-Id: I0072157d0cf9ab87a5b939868ae4a1d0bbec294b
This patch adds a first set of tests in the keystone tempest plugin.
These tests are for the Identity Provider API (part of the Federated
Identity API).
To run the tests install keystone and run (in tempest):
$ tox -e all-plugin -- keystone
Change-Id: I64ebba2e57aa952a2262f9e0ad143cea7de259c0
This patch adds the basic files and configs in order to enable the
keystone tempest plugin interface using tempest-plugin-cookiecutter.
Since we are adding them inside keystone's repository, they can be
installed alongside keystone and to run the tests (when we have one)
we simply use `testr run keystone_tempest_plugin` in tempest.
For more details about the tempest plugin interface see [1]
[1] http://docs.openstack.org/developer/tempest/plugin.html
Change-Id: Ia42e79246251e8af1010aa8eaf462aacf75644a7
Partially-Implements: bp keystone-tempest-plugin-tests