We have stable/xena released so we should add
their job on master gate to keep branchless tempest
plugins compatible to stable branch.

This also removes the stable/train job as that is in EM
state now.

Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html

Change-Id: I7d69623c23e2337dde320bcab81f6a0f5c10b289

Yoga testing runtime[1] has been updated to add py39
testing as voting. Unit tests update are handled by the
job template change in openstack-zuul-job

- https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/820286

this commit updates the classifier in setup.cfg file.

[1] https://governance.openstack.org/tc/reference/runtimes/yoga.html

Change-Id: Ia6151ee06740492127f25831cd54fe751904bb7e

This patch adds tests for Container Consumers.

Depends-On: I1724152839f0f5850f8d32d40b36d1670c0ad996
Change-Id: If2209b12dce107c5648d39270d977a1e9f3bea1d

These two tests are breaking the gate in barbican for a bugfix
patch. [1]

As currently written, the tests are checking the buggy behavior and they
break with the bugfix.

The main issue with the tests is that the different persona classes are
not overriding the cls.consumer_client object to match the persona under
test.  This results in the member client being used throughout, which
before the bufix was wrongly returning a 403.

These test are being re-written in a follow up patch. [2]

[1] https://review.opendev.org/c/openstack/barbican/+/816756/
[2] https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/815071

Change-Id: I8698fc7a9ac849b8c24adfe824ca44dd3e42b999

This patch adds policy tests for the Containers ACL API.

Change-Id: I4e01c0e7f93f52c72faadb9d2a8317f9f553904b

Depends-On: I821b4f5998be5b40327311039979f5e00ea9cefc
Change-Id: I4ef2f68d9070da0c56c4e2370cf66bc813829cd5

This patch test RBAC acces for the Secret ACL API.

Change-Id: I8d88cbf556e9d750c150262f0834bc64a7a726ac

This patch test RBAC access for the Secret Metadata API.

Depends-On: I8222ea2a55cdb72f1d9affe9fb0cf542c6b7c88c
Change-Id: I4dda0eb7198892ed1b662b4c3f3b6e99d9d3e80a

This patch refactors some test for Quotas and adds tests for
checking quotas for different projects than the one the persona
is authenticated as.

Change-Id: Iff17a51d6d23f99376119249c046a84cdfc438e0

Ensure that the Barbican service is configured to use scoped
tokens when checking RBAC policy.

Depends-On: Id399d2220118efe1033426c658d1834cbff02f94

Change-Id: Id7aa02ea4862242fa34140166d634f30af721c22

This patch adds rbac tests to the Orders resource to test
access across different projects.

Change-Id: I4fe67821696263f570c097c610e5f37114b5d76e

This patch continues the refactor of cleanup logic.  It adds a
new `cleanup()` method to the order client that attempts to delete
all orders and all screts created by those orders on cleanup.

This patch also adds some scaffolding to the Container client that
will be fleshed out in a follow-up patch.

Change-Id: I78d875980637e82ddc3173aad2fc7ecf4941230c

This patch adds rbac tests to the Containers resource to test
secure-rbac policies within a project

This patch also removes the use of do_request in the existing tests
as that method is being deprecated in favor of using the clients
directly.

* PEP8 Fixes
* Fix the plurality of the method names
* Remove _by_id from certain methods to maintain consistency

Change-Id: I80aba2934110965866d1583309df7f2ca9ef4c27

This patch adds rbac tests to the Secrets resource to test access
across different projects.

This patch also changes the Reader, Member, and Admin test suite
inheritance to remove code duplication.

Change-Id: Icf5a52925244dfe7d98ba9cfba549fce67be44db

This patch is the first in a refactor of the cleanup logic in our
tests.

This patch adds a new `cleanup()` method to the SecretClient that
attempts to delete all the secrets it creates.

Moving the responsibility of tracking which secrets to clean up down
to the client allows us more flexibility when cleaning up the resources.
e.g.  it should be fairly easy to clean up secrets across multiple projects
by just calling the new `cleanup()` method on each client used.

This patch will also allow us to get rid of the overloaded `do_request()`
method that is currently used as a proxy to the client to be able to track
entities.

The change also makes the test code more explicit and easier to read.

Change-Id: Id9be832a0f255410bd955d94c32001fec500f32f

This patch changes a test to wait a few seconds for the orders to be
processed by Barbican.  Currently there are intermittent failures when
the test executes faster than Barbican can process orders.

Change-Id: I863ca223d6732b43dd6baa1510d4206b34bfb19e

As stated in the cryptography.io documentation, "Almost everyone should
use 65537" for the public_exponent in an RSA key. [1]

This patch also uses a larger RSA key length for FIPS compatibility.

[1] https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key

Change-Id: I9f0c030b172a544821aa42924e4401cd7ccc9956

Follow-up of I05b0200b80d8ae957caaa53d5006b050d2d49da6
which fixes also the other leftover usage of a legacy
encryptor class (plain this time).

Change-Id: I8fc4e2e6ed84bf18a4c89c30ee5c40b743d00e46

Stable/wallaby is released so we should add
their job on master gate to keep branchless tempest
plugins compatible to stable branch.

Ref: Tempest plugins guide for stable branch testing:
- https://docs.openstack.org/tempest/latest/stable_branch_testing_policy.html

Change-Id: I3e8534fdc91a9e94fa82ce6504f36f3d0b5aed6c

This patch adds basic RBAC tests for the Transport Keys API for
the reader, admin, and member personas with project scope.

Some tests will need additional work because they require transport
keys to be present, which can only be done by a system-scope admin

Change-Id: I269618fd760cffd992ca450bb9f13b9788b50b54

This patch adds basic RBAC test for the Secret Stores API for
the reader, member and admin personas with project scope.

The tests are skipped by a config option, as they require
the multiple-backends feature to be enabled in barbican.

The devstack instace we're using for gate tests does not have
this enabled, so we default to False for now.

Change-Id: Ibca9d44fb3d0f4fd9945a7e6c636e0fbf6beb42e

This patch adds basic secure-rbac testing for the Quotas resource
for the reader, member, and admin personas with project scope.

Change-Id: I290b808bbb8be26da281cf8971661c44fede71b0

This patch adds basic RBAC tests for the Orders resource for
the reader, member, and admin personas with project scope.

Change-Id: Ie5b7b6f7df20ec96e916232e70e9f61c7771f9d2

This patch adds basic RBAC testing for the Containers resource for
reader, member and admin personas with project scope.

Depends-On: I6879f566117db5ec0099ddad35ba649a3c674bd1
Change-Id: I2272f5cd2385df15cc7761e8b858dfd39be955d4

This patch adds a gate to test the new secure-rbac policy.

Currently, Tempest is unable to create system admin credentials
when the isolated networks option is set to true, so we disable
that option for this gate.

This patch also includes fixes needed to get the existing tests
to pass, as well as some skips for scenario tests that require
isolated networks.

We should be able to remove the skips once Tempest is fixed to
work with system admin.

Depends-On: I584f7b67f2f95caa7c4db3d9d9222d0a9d38442d
Change-Id: I0129ab6d15bc42d98a19e3551b8d009f9ad05e10

This adds initial RBAC tests for secrets

Change-Id: Ib79eed6886839d1b7848c991bd64e82595c6c32e

UPPER_CONSTRAINTS_FILE is old name and deprecated
-https://zuul-ci.org/docs/zuul-jobs/python-roles.html#rolevar-tox.tox_constraints_file
This allows to use lower-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.

Change-Id: I5e198c592742755f4285b68ac288820b9a33031b

Change-Id: Ia690ea0a284f1e1cfe7e223613acdb30e40a9980

As per victoria cycle testing runtime and community goal
we need to migrate upstream CI/CD to Ubuntu Focal(20.04).

Tempest based jobs are migrated automatically via devstack
base job start running on Focal but stable jobs testing stable
branch needs to keep running on their supported
distro version which is bionic from train till ussuri.

Also, remove stein support (removed from tempest)
and add a job for victoria.

Change-Id: I3d792925e81172ae8abe75c5ceb2d5a039fc84f7
Story: #2007865
Task: #40184

The openstack can have multiple glance stores deployed/available.
It may be a proper thing to copy newly created signed image into
all the available glance stores so barbican tempest tests can access
image regardless on which compute and storage backend they are ran on
and regardless on which glance store is local.
Additionally there is a nova-compute conf parameter[1] which can even
prevent instances being spawned from image which is not available in local
glance store.
The copy-image would happen only if import_image tempest cong option
is available which indicates glance multistore is available.

[1] https://review.opendev.org/#/c/657078/

Change-Id: I1f0d8be1b237da0c96e820c4b3dca09a83b29752

Current skip runs from the testcase and consumes time and resources.
Changed the skip to decorator.

Change-Id: Ia98fa1607c56b34ed1c764873f2909f423d1fffd