Integration testing for federation

[garloff]

We shall extend our integration tests to ensure that user federation is validated in our CI tests.

• Determine suitable setup (two testbeds? Or maybe an IdP only deployment? Maybe avoid re-rolling one side every time?)
• Upgrade scenarios
• What functionality is tested? What roles?

Test scenarios

We will probably have different test "scenarios" and run a suite of test cases that apply to them. As a first step we can simulate a lot just within a single testbed, which zuul would need to do

• deploy single testbed (for Login/Logout/CLI,Self-Servicing of roles)
• create two customer realms
• for SCS-to-SCS federation it may be enough to federate from customer A to customer B (but this would not test the initial setup steps required regarding SSL and DNS)

Test cases

• Test Login to Horizon with federated account
• Test Logout from Horizon with a federated account
• Test Getting a Keystone token via CLI for a federated account
• Test Using Kubernetes with an IdP federated account
• Test Login to Horizon with federated account hosted in a "remote" SCS/Keycloak (requires setting up IdP Federation in Keycloak first)

Additional ideas:

• Test Self-Service adjustments and mapping into OpenStack roles / scopes.
• Maybe we should include testing domain isolation, not sure if/how the tests by @markus-hentsch can/should be used here.
• Test accessing a Infrastructure resource from a Kubernetes workload using a federated account (How?)
• Test token refresh (is this interesting? We don't want to test OAuth but SCS usage of it)

[garloff]

Please consider #191 for a set of testcases: As DevOps Team (SCS Customer) I'm able to use terraform (example for Infra-as-Code tooling) across SCS clouds (i.e. with a federated account provided in some external IAM (AzureAD/ADFS/freeIPA/whatever)

[reqa]

Also consider #347 for testing logout.