Adapt check pertaining to scs-0116-key-manager

mbuechse · mbuechse · commit 18f59011b9ef · 2025-08-27T21:12:34.000+02:00
Signed-off-by: Matthias Büchse &lt;matthias.buechse@alasca.cloud&gt;
diff --git a/Tests/iaas/openstack_test.py b/Tests/iaas/openstack_test.py
@@ -38,6 +38,8 @@
     compute_volume_type_lookup, compute_scs_0114_syntax_check, compute_scs_0114_aspect_type
 from scs_0115_security_groups.security_groups import \
     compute_scs_0115_default_rules
+from scs_0116_key_manager.key_manager import \
+    compute_services_lookup, compute_scs_0116_presence, compute_scs_0116_permissions
 
 
 logger = logging.getLogger(__name__)
@@ -160,11 +162,20 @@ def make_container(cloud):
     c.add_function('scs_0114_replicated_type', lambda c: compute_scs_0114_aspect_type(c.volume_type_lookup, 'replicated'))
     c.add_function('volume_types_check', lambda c: all((
         c.scs_0114_syntax_check,
+        # the following is recommended only, but we treat this whole monolithic testcase as recommended
         c.scs_0114_encrypted_type, c.scs_0114_replicated_type,
     )))
     # scs_0115_security_groups
     c.add_function('scs_0115_default_rules', lambda c: compute_scs_0115_default_rules(c.conn))
     c.add_function('security_groups_default_rules_check', lambda c: c.scs_0115_default_rules)
+    # scs_0115_key_manager
+    c.add_function('services_lookup', lambda c: compute_services_lookup(c.conn))
+    c.add_function('scs_0116_presence', lambda c: compute_scs_0116_presence(c.services_lookup))
+    c.add_function('scs_0116_permissions', lambda c: compute_scs_0116_permissions(c.conn, c.services_lookup))
+    c.add_function('key_manager_check', lambda c: all((
+        # recommended only: c.scs_0116_presence,
+        c.scs_0116_permissions,
+    )))
     return c
 
 
diff --git a/Tests/iaas/scs_0116_key_manager/check-for-key-manager.py b/Tests/iaas/scs_0116_key_manager/check-for-key-manager.py
diff --git a/Tests/iaas/scs_0116_key_manager/key_manager.py b/Tests/iaas/scs_0116_key_manager/key_manager.py
@@ -0,0 +1,119 @@
+from collections import defaultdict
+import logging
+
+import openstack
+
+
+logger = logging.getLogger(__name__)
+
+
+def fetch_roles(conn: openstack.connection.Connection) -> None:
+    """Checks whether the current user has at maximum privileges of the member role.
+
+    :param conn: connection to an OpenStack cloud.
+    :returns: boolean, when role with most privileges is member
+    """
+    role_names = set(conn.session.auth.get_access(conn.session).role_names)
+    if role_names & {"admin", "manager"}:
+        return False
+    if "reader" in role_names:
+        logger.info("User has reader role.")
+    custom_roles = sorted(role_names - {"reader", "member"})
+    if custom_roles:
+        logger.info(f"User has custom roles {', '.join(custom_roles)}.")
+    return role_names
+
+
+def compute_services_lookup(conn: openstack.connection.Connection) -> dict:
+    try:
+        services = conn.service_catalog
+    except Exception:
+        logger.critical("Could not access Catalog endpoint.")
+        raise
+
+    result = defaultdict(list)
+    for svc in services:
+        svc_type = svc["type"]
+        result[svc_type].append(svc)
+    return result
+
+
+def compute_scs_0116_presence(services_lookup):
+    services = services_lookup.get("key-manager", ())
+    if not services:
+        logger.error("key-manager service not found")
+    return bool(services)
+
+
+def _find_secrets(conn: openstack.connection.Connection, secret_name_or_id: str) -> list:
+    """Replacement method for finding secrets.
+
+    Mimicks the behavior of Connection.key_manager.find_secret()
+    but fixes an issue with the internal implementation raising an
+    exception due to an unexpected microversion parameter.
+    Unlike find_secret(), we return a list with all secrets that match.
+    """
+    secrets = conn.key_manager.secrets()
+    return [s for s in secrets if s.name == secret_name_or_id or s.id == secret_name_or_id]
+
+
+def _delete_secret(conn: openstack.connection.Connection, secret: openstack.key_manager.v1.secret.Secret):
+    """Replacement method for deleting secrets
+    _delete_secret(connection, secret object)
+
+    Workaround for SDK bugs:
+     - The id field in reality is a href (containg the UUID at the end)
+     - The delete_secret() function contrary to the documentation does
+       not accept openstack.key_manager.v1.secret.Secret objects nor the
+       hrefs, just plain UUIDs.
+     - It does not return an error when I try to delete a secret passing
+       an object or href, just silently does nothing.
+    The code here assumes that the SDK (when fixed) will continue to
+    accept UUIDs as argument for delete_secret() in the future.
+    Code is robust against those being passed directly in the .id attr
+    of the objects. (It would be even more robust to try to pass the
+    object first, then the href, then the UUID extracted from the href,
+    each time checking whether it was effective. But that's three delete
+    plus list calls and very ugly.)
+    """
+    uuid = secret.id.rsplit('/', 1)[-1]
+    conn.key_manager.delete_secret(uuid)
+
+
+def compute_scs_0116_permissions(conn: openstack.connection.Connection, services_lookup) -> None:
+    """
+    After checking that the current user only has the member and maybe the
+    reader role, this method verifies that the user with a member role
+    has sufficient access to the Key Manager API functionality.
+    """
+    if "member" not in fetch_roles(conn):
+        raise RuntimeError("Cannot test key-manager permissions. User has wrong roles")
+    if not services_lookup.get("key-manager", ()):
+        # this testcase only applies when a key manager is present
+        return True
+    secret_name = "scs-member-role-test-secret"
+    try:
+        existing_secrets = _find_secrets(conn, secret_name)
+        for secret in existing_secrets:
+            _delete_secret(conn, secret)
+
+        if existing_secrets:
+            logger.debug(f'Deleted {len(existing_secrets)} secrets')
+
+        conn.key_manager.create_secret(
+            name=secret_name,
+            payload_content_type="text/plain",
+            secret_type="opaque",
+            payload="foo",
+        )
+        try:
+            new_secret = _find_secrets(conn, secret_name)
+            if not new_secret:
+                raise RuntimeError(f"Secret '{secret_name}' was not discoverable by the user")
+        finally:
+            _delete_secret(conn, new_secret[0])
+    except (RuntimeError, openstack.exceptions.ForbiddenException):
+        logger.debug('exception details', exc_info=True)
+        logger.error("Unsuccessful at using Key Manager API")
+        return False
+    return True
diff --git a/Tests/scs-compatible-iaas.yaml b/Tests/scs-compatible-iaas.yaml
@@ -143,8 +143,8 @@ modules:
     name: Key manager
     url: https://docs.scs.community/standards/scs-0116-v1-key-manager-standard
     run:
-      - executable: ./iaas/key-manager/check-for-key-manager.py
-        args: --os-cloud {os_cloud} --debug
+      - executable: ./iaas/openstack_test.py
+        args: -c {os_cloud} key-manager-check
     testcases:
       - id: key-manager-check
         tags: [mandatory]
