Modify test_get_effective_quota test

The test_get_effective_quotas test uses key-manager:service-admin legacy role to get the effective quotas. Using a user with only this role should lead to an ERROR in an SRBAC environment. This patch changes the test so that it checks whether the ERROR occurred when the test tried to get quotas in SRBAC environment. Also, auth.tempest_roles = member was removed from tempest.conf as it is not necessary and causes a failure of the modified test and it might cause unwanted problems in the future. Change-Id: Ib106f5e760d3a5253968e2fe13ec576107a98c74
2023-06-01 09:12:48 +00:00 · 2023-06-01 09:12:48 +00:00 · 832692c4fb
parent b5519a7015
commit 832692c4fb
2 changed files with 17 additions and 10 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -130,8 +130,6 @@
              enforce_scope: True
        test-config:
          $TEMPEST_CONFIG:
-            auth:
-              tempest_roles: member
            barbican_rbac_scope_verification:
              enforce_scope: True

--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@ -16,6 +16,7 @@ from barbican_tempest_plugin.tests.api import base

 from tempest import config
 from tempest.lib import decorators
+from tempest.lib import exceptions

 CONF = config.CONF

@ -25,14 +26,22 @@ class QuotasTest(base.BaseKeyManagerTest):

    @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
    def test_get_effective_quota(self):
-        # Verify the default quota settings
-        body = self.quota_client.get_default_project_quota()
-        quotas = body.get('quotas')
-        self.assertEqual(-1, quotas.get('secrets'))
-        self.assertEqual(-1, quotas.get('cas'))
-        self.assertEqual(-1, quotas.get('orders'))
-        self.assertEqual(-1, quotas.get('containers'))
-        self.assertEqual(-1, quotas.get('consumers'))
+        if CONF.barbican_rbac_scope_verification.enforce_scope:
+            # This test is using key-manager:service-admin legacy
+            # role. User with only this role should get a Forbidden
+            # error when trying to get effective quotas in SRBAC
+            # environment.
+            self.assertRaises(
+                exceptions.Forbidden,
+                self.quota_client.get_default_project_quota)
+        else:
+            body = self.quota_client.get_default_project_quota()
+            quotas = body.get('quotas')
+            self.assertEqual(-1, quotas.get('secrets'))
+            self.assertEqual(-1, quotas.get('cas'))
+            self.assertEqual(-1, quotas.get('orders'))
+            self.assertEqual(-1, quotas.get('containers'))
+            self.assertEqual(-1, quotas.get('consumers'))


 class ProjectQuotasTest(base.BaseKeyManagerTest):