Commit Graph

103 Commits

Author SHA1 Message Date
Douglas Mendizábal b2aa462f0e Consistent and Secure RBAC (Phase 1)
This patch updates the RBAC tests to test the new policy changes in
Keystone that allow users with the "admin" (aka root) role to access
system-level APIs previously available only to the system-admin persona.

The changes affect both the project-admin and domain-admin personas.

All the relevant policy changes have been made in keystone.

Depends-On: https://review.opendev.org/c/openstack/keystone/+/908524
Change-Id: I43c6da5bce9552948692eef8d71408d74382cc4e
2024-02-13 01:45:41 +00:00
Douglas Mendizábal 4c4cdfebce Update supported branches
This patch updates the jobs to reflect the latest suported branches for
keystone.

Test jobs for both antleope (2023.1) and bobcat (2023.2) have been
added, and the jobs for the xena and yoga branches have been removed as
they are no longer maintained.

This patch also makes the protection jobs non-voting as they are
expected to fail due to policy changes in keystone.  A follow-up patch
fixes the test and re-enables the job.

Change-Id: I2d3968672eb4dd32a163827a7e24384578a4c913
2024-02-13 10:45:09 +09:00
Dave Wilde dbe56f0a07 Add existing user logic
There may be a need to run these tests with an existing user.  This
checks the existing user flags and uses that information if they
are true. Defautls to false.

Change-Id: I5dfab4cfa2c55fd133ab7ad2d5235399865794ab
2023-05-02 14:11:49 -05:00
Zuul 6106a0eb07 Merge "Pin stable branch jobs nodeset to Ubuntu Focal (20.04)" 2023-03-06 21:46:48 +00:00
Zuul a2b0a5dc59 Merge "Add keystone oidc tests" 2023-03-01 17:12:30 +00:00
Ade Lee 47a5e98ae9 Add keystone oidc tests
This adds tests to test getting a token (scoped and unscoped) when
keystone is configured to use oidc for authentication.  The oidc
provider is keycloak.  This is based in very large part on Kristi's
work in [1] and [2].

[1] https://github.com/knikolla/devstack-plugin-oidc
[2] https://github.com/CCI-MOC/onboarding-tools

Co-Authored-By: David Wilde <dwilde@redhat.com>
Change-Id: I1772b65f1cc3830ac293a800a79d044a6ab69d65
2023-03-01 11:17:04 +01:00
Ghanshyam Mann 5b9eb634ec Pin stable branch jobs nodeset to Ubuntu Focal (20.04)
In 2023.1 cycle. we are moving the default distro
version of Ubuntu to Jammy (22.04)[1] so we need to pin
the nodeset for stable branch job in master gate so that
they continue run on their supporting distro version which is
Ubuntu Focal since stable/victoria.

[1] https://governance.openstack.org/tc/goals/selected/migrate-ci-jobs-to-ubuntu-jammy.html

Change-Id: I7d8027dd893e07581ca30053c4d6c8ba843b14d9
2023-02-15 17:57:38 -08:00
Ghanshyam Mann 0506e1c6d9 Update stable jobs on master gate
As zed is released, we should add its job on master
gate to keep branchless tempest plugins compatible
to stable branch.

Also, removing the stable/wallaby job as that is in EM
state.

Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html

Change-Id: I28117a37a41ac76ba5561a285e417882c2d6a5a1
2023-01-26 19:37:02 -06:00
Ghanshyam Mann 7f43a20380 Update stable branches jobs on master gate
we have stable/xena and stable/yoga also present
and supported so we should add their job on master
gate to keep branchless tempest plugins compatible
to stable branch.

This also removes the old EM stable branches which are
train, ussuri, and victoria jobs.

Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html

Change-Id: I3181e8a321aa36d06d00b0e96c2a7733a438aea3
2022-05-31 18:48:33 -05:00
Douglas Viroel 4eff632695 Replace Identity client endpoint type
This patch replaces Identity client default endpoint type,
which is set to 'adminURL', to use the 'v3_endpoint_type'
from identity configuration.

Related-Bug: #1959930
Change-Id: Iee1fe30420d5ec4721a444e3a10985b31ec23601
Signed-off-by: Douglas Viroel <dviroel@redhat.com>
2022-02-04 14:46:11 -03:00
Zuul f57af91f9a Merge "Replace assertItemsEqual with assertCountEqual" 2022-01-15 15:00:18 +00:00
Ghanshyam Mann 32e48a7ea5 Add victoria/wallaby stable branch jobs on master gate
We have stable/victoria and stable/wallaby released so we
should add their job on master gate to keep branchless
tempest plugins compatible to those branch.

This also removes the stable/stein job as that is in EM
state now.

Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html

Change-Id: Ic60d898969e730fcf1aebc4d103f06ec0baf24ed
2021-04-29 18:34:31 -05:00
Lance Bragstad faa9b13891 Increase protection testing for application credentials
This commit updates the application credential protection tests to
ensure users can't craft paths that bypass application credential
ownership checks.

Depends-On: https://review.opendev.org/c/openstack/keystone/+/760972
Change-Id: I7729190d42a6a7199553c5fc058e1b93eecb2068
Related-Bug: 1901207
2021-02-11 16:03:10 +00:00
Colleen Murphy a6d4ceaf57 Add RBAC tests
This change leverages the nine default personas available in tempest[1]
to demonstrate a potential framework for testing default policies. An
abstract base class is created that helps set up credentials and
outlines every policy that needs to be tested, then nine subclasses are
created to test every persona. Each test represents one policy rule, and
some tests make multiple requests in order to test the policy from
different approaches, for example, to check what happens if a different
domain is specified, or what happens if the resource does not exist.

The idea here is to be very verbose and explicit about what is being
tested: every policy gets one test in the base class, and each persona
is tested in a subclass. The layout should be easy to understand and
someone reading the code should not be left guessing whether a case is
missing or if there is magic happening in the background that is causing
a false positive or false negative.

This is intended to replace the unittest protection tests currently
in place.

[1] https://review.opendev.org/686306 (this will require additional
devstack and keystone configuration to work properly in CI)

Depends-on: https://review.opendev.org/686306
Depends-on: https://review.opendev.org/699051
Depends-on: https://review.opendev.org/699519
Depends-on: https://review.opendev.org/700826
Depends-on: https://review.opendev.org/743853
Depends-on: https://review.opendev.org/744087
Depends-on: https://review.opendev.org/744268
Depends-on: https://review.opendev.org/731087

Change-Id: Icb5317b9297230490bd783fe9b07c8db244c06f8
2021-02-11 16:02:54 +00:00
Lance Bragstad 2473e5bdba Update federation jobs to use ubuntu focal
This change is consistent with updates we landed in keystone:

  fb86048d0a83cc6f2b5dcf78124ed12202902092

Change-Id: Ibd1d6624fc3addbe60c7218766d80cb43ad732bc
2021-02-10 19:31:18 +00:00
Zuul 774bb4f905 Merge "Add tempest clients for limits" 2020-09-21 14:39:39 +00:00
Ghanshyam Mann 4774d61bb4 [goal] Migrate keystone-tempest-plugin jobs to focal
As per victoria cycle testing runtime and community goal[1]
we need to migrate upstream CI/CD to Ubuntu Focal(20.04).

Most of the Tempest jobs will be migrate automatically once devstack
base job start running on Focal(Depends-On).

Stable jobs testing stable branch needs to keep running on their supported
distro version which is bionic from stein till ussuri.

[1] https://governance.openstack.org/tc/goals/selected/victoria/migrate-ci-cd-jobs-to-ubuntu-focal.html

Change-Id: I8c7c12202e5fd024999bb2010bb483b0b2582346
Story: #2007865
Task: #40190
2020-07-30 22:53:17 +00:00
Colleen Murphy 5ee9af871d Add tempest clients for limits
This change adds tempest clients for the registered limits and limits
APIs. While those APIs are experimental, it's best to start development
of the tempest tests in the keystone plugin rather than in tempest. This
base can be used for both developing exhaustive API tests for these APIs
as well as for RBAC tests.

Change-Id: I30b5b2ac5f10fd457e436df876f872432059b655
2020-07-29 16:42:58 -07:00
gugug c2abd827db Replace assertItemsEqual with assertCountEqual
assertItemsEqual was removed from Python's unittest.TestCase in
Python 3.3 [1][2]. We have been able to use them since then, because
testtools required unittest2, which still included it. With testtools
removing Python 2.7 support [3][4], we will lose support for
assertItemsEqual, so we should switch to use assertCountEqual.

[1] - https://bugs.python.org/issue17866
[2] - https://hg.python.org/cpython/rev/d9921cb6e3cd
[3] - testing-cabal/testtools#286
[4] - testing-cabal/testtools#277

Change-Id: I2edc09748de1739c558040a8ae6a15373ad1a93b
2020-07-12 11:25:13 +08:00
Zuul aa17472706 Merge "Add addCleanup just after resource creation" 2020-06-16 15:44:01 +00:00
Zuul c7219524ec Merge "Add stable branches testing on keystone-tempest-plugin master gate" 2020-06-16 15:44:00 +00:00
Andreas Jaeger fd5ab8adea Update docs building, cleanup
Update docs building and cleanup a bit:
* Update requirements for Sphinx and openstackdocstheme for
  python 3, create doc/requirements.txt for these
* Remove unneeded doc and translation sections from setup.cfg
* Remove install_command, it's unneeded, the default is fine,
  move constraints into deps, use TOX_CONSTRAINTS instead of
  obsolete UPPER_CONSTRAINTS
* Use new variables from updated openstackdocstheme

Change-Id: I659a8736195ff621032b4fb3bd7a72fa616cf8c6
2020-06-09 07:51:26 +02:00
Vishakha Agarwal da7e045b29 Add addCleanup just after resource creation
This patch follows the sequence of adding addCleanup
just after creating a resource similar to whole
keystone-tempest-plugin repo. This is to avoid the
resource leakage issue if anything happen between
resource creation and addcleanup line.

Change-Id: I258c440417eaecb8f5ed4dc1e0eb6138edda883b
2020-05-15 07:10:23 +00:00
Colleen Murphy 7814dc2034 Use ephemeral test user for k2k tests
Do not use the admin user as a shadowed federated user for the K2K
tests. When trying to add expiring groups for the admin user, keystone
has trouble looking up the user in the cache and fails to add the groups
to the user. This sometimes results in test failures, which may be
masked as failure to clean up the identity provider in between tests and
resulting in a conflict trying to recreate it. This change instead uses
an ephemeral test user rather than the admin user, which is not meant to
be used for authentication tests anyway.

Change-Id: Ia4b53b41a0030772a2abdba949ad7529880d8f70
2020-05-10 22:34:17 -07:00
Vishakha Agarwal bd8ba4e7e2 Add stable branches testing on keystone-tempest-plugin master gate
This patch add the jobs for stable/stein, stable/train and
stable/ussuri in keystone tempest plugin. Supported stable branch
use keystone-tempest-plugin master version to test them. Adding stable
job on master ensures that keystone-tempest-plugin master version is
compatible with stable branches testing.

Change-Id: I72bf38247f693a2efcdad2e64a8948023350ff53
2020-05-06 10:09:16 +00:00
Vishakha Agarwal b8f6b25ddd Remove func not in use in test_service_providers
This patch removes an unused function _add_cleanup() from
this plugin.

Change-Id: I3647b639618fcebc99a9e7275d80b87b034e2960
2020-05-02 23:48:10 +05:30
Zuul eedd37dc05 Merge "Remove six library" 2020-04-28 23:57:42 +00:00
Colleen Murphy e105e8ce14 Don't test openstack_groups on stable branches
Without this patch, the stable keystone branches fail the K2K tests
because they don't support the assertion feature added in #1687593 and
we don't intend to backport it. This change allows the stable branches
to still be tested using a regular static group mapping.

Change-Id: Ie1be1cc0e961a1584c99247f0c1b0032576718d8
2020-04-21 20:02:37 -07:00
Zuul 7f76adc1b0 Merge "Make checking for singular SPs in list instead of list equality" 2020-04-21 19:21:32 +00:00
Zuul 24ad0ece06 Merge "Test case for openstack_groups" 2020-04-21 17:23:35 +00:00
Vishakha Agarwal 7c365d8f28 Test case for openstack_groups
This patch adds the test case for the adddtion of
"openstack_groups" to the idp assertion.

Depends-on: https://review.opendev.org/#/c/588211/
Change-Id: I5dd932b34a2a8d1013641e08eabfdac84bb4092e
2020-04-07 23:51:53 +05:30
Kristi Nikolla c393015d2d Make checking for singular SPs in list instead of list equality
There is a race condition when the test_service_providers_in_token
test is run at the same time as the k2k test because an extra SP
will appear in the list.

By checking items in the list individually instead of comparing
list equality this should fix the issue.

Change-Id: I13a7a747e108562b326aee1b88485a377530f8a5
2020-04-07 11:54:33 -04:00
Andreas Jaeger a7743599f4 Update hacking for Python3
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.

Fix problems found.

The tempest plugin is used on older branches as well.
We really only need hacking on master anyways,
where we no longer support python 2, so here we
make the requirement specific to python 3.

Change-Id: Ia1a3c7cf9f48b30ca800c59078f38f2a22c1a0da
2020-04-04 09:24:58 +02:00
Vishakha Agarwal 9c8933c6bb Remove six library
Change-Id: Iadf31a4d5861cf1e821c6b4473ccec23899a2338
2020-03-23 21:06:29 +05:30
Vishakha Agarwal 47244edbc5 Drop py3.5 from tempest plugins
As per the community goal drop python2.7 [1], tempest is dropping
py3.5 and asked to drop from its plugins too.

[1]lists.openstack.org/pipermail/openstack-discuss/2020-February/012310.html

Change-Id: I40d40c58a77c58533da543d59cdb4549a1d20d45
2020-02-05 11:29:25 +05:30
Colleen Murphy 874e450b31 Update Zuul job list
Remove py2 job and add voting k2k job.

Change-Id: Ia3c3f3222e435d479c447fc0acc9f5fbb76c49dc
2020-01-28 15:34:41 -08:00
Vishakha Agarwal 0cf7ef8bc6 [ussuri][goal] Drop python 2.7 support and testing
OpenStack is dropping the py2.7 support in ussuri cycle.

keystone-tempest-plugin is ready with python 3 and ok to drop the
python 2.7 support.

Complete discussion & schedule can be found in
- http://lists.openstack.org/pipermail/openstack-discuss/2019-October/010142.html
- https://etherpad.openstack.org/p/drop-python2-support

Ussuri Communtiy-wide goal:
https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html

Change-Id: I4c46dfbfb9e679d64f6cc6b99d8f63775ec3914a
2020-01-22 12:41:06 +05:30
Zuul e3163c2a69 Merge "Add option to disable testing against external idp" 2019-10-25 21:55:49 +00:00
Zuul 13a94876e4 Merge "Keystone to Keystone tests" 2019-10-25 21:55:49 +00:00
Colleen Murphy 8ec445b13d Add option to disable testing against external idp
Currently, the federation tests are non-voting because they require
connecting to an external service that is not under our control, and is
therefore unreliable. Non-voting tests are a problem because they are
often ignored even when their results are related to new changes. This
change adds a tempest config option
``[identity-feature-enabled]/external_idp``, defaulting to true for
backwards compatibility, which when disabled causes the tests that rely
on the external IdP to be disabled leaving only the K2K federation tests
to be executed. Exercising only the K2K tests is still a good means of
regression testing and we can safely make those tests voting.

Change-Id: I534470df7ca529511ab9a7631f167ec2035ab4be
2019-10-17 11:01:32 -07:00
Colleen Murphy 7dac0f1f6c Use up-to-date federation job names
Change-Id: I4960d56e91977696edb3deee58729e0c74db4a64
2019-10-17 09:24:39 -07:00
Kristi Nikolla a9f65e0bcf Keystone to Keystone tests
blueprint devstack-plugin

Depends-On: I55b4e727404d910aa9b5a07b49b783799bc5f098
Change-Id: I6d46b18c75f344b626848adf255b3d459b6b238d
2019-10-16 15:21:41 -07:00
Zuul a4169fa455 Merge "Follow the PTI for docs" 2019-10-15 18:34:37 +00:00
Vishakha Agarwal 30b20b6e04 Follow the PTI for docs
Use sphinx-build instead of the pbr sphinx extention for building docs
as instructed by the PTI[1].

It fixes the header formatting for the index page, as the headers weren't
rendering at all.

[1] https://governance.openstack.org/tc/reference/pti/python.html

Change-Id: Ibac2b45ecfab4a7e575d097ecb9fc2c5e57b81cf
2019-10-09 14:37:23 +05:30
pengyuesheng 5ed5fd9637 Update the constraints url
For more detail, see http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006478.html

Change-Id: I51af25ca1d9666cdb2916220aa2e3c940057dff3
2019-09-29 10:50:33 +08:00
Colleen Murphy 806103f188 Fix sphinx requirement for python2
Ensure the sphinx requirement passes the requirements-check job.

Change-Id: I4f76e167a9d29e36dd66ecb82b92b63a3cd07d35
2019-05-28 11:53:01 -07:00
caoyuan 201bcb49fa Replace git.openstack.org URLs with opendev.org URLs
Change-Id: Ieb7ea6c0d9d825d05388201d481fe6619df6e286
2019-04-24 15:36:06 +08:00
OpenDev Sysadmins 21548467c3 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:39:40 +00:00
Arundhati Surpur 8b5c09ce61 Fix documentation link
We don't publish docs for the tempest plugin but we can refer to the
main keystone documentation.

Change-Id: I53b9751a2d875e5d431c651968d0bb202c47d5e5
2019-04-12 09:51:59 -07:00
Zuul b573efb357 Merge "Update hacking version to latest" 2019-01-25 14:53:29 +00:00