opentelekomcloud
diff --git a/‎acceptance/static_creds_test.go‎
Lines changed: 178 additions & 0 deletions b/‎acceptance/static_creds_test.go‎
Lines changed: 178 additions & 0 deletions
diff --git a/‎acceptance/static_roles_test.go‎
Lines changed: 37 additions & 16 deletions b/‎acceptance/static_roles_test.go‎
Lines changed: 37 additions & 16 deletions
diff --git a/‎doc/source/api.md‎
Lines changed: 71 additions & 15 deletions b/‎doc/source/api.md‎
Lines changed: 71 additions & 15 deletions
diff --git a/‎openstack/backend.go‎
Lines changed: 1 addition & 0 deletions b/‎openstack/backend.go‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,178 @@
+//go:build acceptance
+// +build acceptance
+
+package acceptance
+
+import (
+	"fmt"
+	"github.com/gophercloud/gophercloud"
+	"github.com/gophercloud/gophercloud/openstack/identity/v3/roles"
+	"github.com/gophercloud/gophercloud/openstack/identity/v3/users"
+	"github.com/opentelekomcloud/vault-plugin-secrets-openstack/openstack"
+	"github.com/opentelekomcloud/vault-plugin-secrets-openstack/openstack/fixtures"
+	"github.com/stretchr/testify/require"
+	"net/http"
+	"testing"
+)
+
+type testStaticCase struct {
+	cloud      string
+	projectID  string
+	domainID   string
+	secretType string
+	username   string
+	extensions map[string]interface{}
+}
+
+func (p *PluginTest) TestStaticCredsLifecycle() {
+	t := p.T()
+
+	cloud := openstackCloudConfig(t)
+	require.NotEmpty(t, cloud)
+
+	client, aux := openstackClient(t)
+
+	userRoleName := "member"
+	allRoles := getAllRoles(t, client)
+
+	dataCloud := map[string]interface{}{
+		"auth_url":         cloud.AuthURL,
+		"username":         cloud.Username,
+		"password":         cloud.Password,
+		"user_domain_name": cloud.UserDomainName,
+	}
+
+	cases := map[string]testStaticCase{
+		"user_password": {
+			cloud:      cloud.Name,
+			projectID:  aux.ProjectID,
+			domainID:   aux.DomainID,
+			username:   "static-test-1",
+			secretType: "password",
+		},
+		"user_token": {
+			cloud:      cloud.Name,
+			projectID:  aux.ProjectID,
+			domainID:   aux.DomainID,
+			username:   "static-test-2",
+			secretType: "token",
+			extensions: map[string]interface{}{
+				"identity_api_version": "3",
+			},
+		},
+	}
+
+	for name, data := range cases {
+		t.Run(name, func(t *testing.T) {
+			data := data
+
+			roleName := openstack.RandomString(openstack.NameDefaultSet, 4)
+
+			userId := userSetup(t, client, data, aux, allRoles[userRoleName].ID)
+			t.Cleanup(func() {
+				require.NoError(t, users.Delete(client, userId).ExtractErr())
+			})
+
+			resp, err := p.vaultDo(
+				http.MethodPost,
+				cloudURL(cloudName),
+				dataCloud,
+			)
+			require.NoError(t, err)
+			assertStatusCode(t, http.StatusNoContent, resp)
+
+			resp, err = p.vaultDo(
+				http.MethodPost,
+				staticRoleURL(roleName),
+				cloudToStaticRoleMap(data),
+			)
+			require.NoError(t, err)
+			assertStatusCode(t, http.StatusNoContent, resp)
+
+			resp, err = p.vaultDo(
+				http.MethodGet,
+				staticRoleURL(roleName),
+				nil,
+			)
+			require.NoError(t, err)
+			assertStatusCode(t, http.StatusOK, resp)
+
+			resp, err = p.vaultDo(
+				http.MethodGet,
+				staticCredsURL(roleName),
+				nil,
+			)
+			require.NoError(t, err)
+			assertStatusCode(t, http.StatusOK, resp)
+
+			resp, err = p.vaultDo(
+				http.MethodDelete,
+				staticRoleURL(roleName),
+				nil,
+			)
+			require.NoError(t, err)
+			assertStatusCode(t, http.StatusNoContent, resp)
+
+			resp, err = p.vaultDo(
+				http.MethodDelete,
+				cloudURL(cloudName),
+				nil,
+			)
+			require.NoError(t, err)
+			assertStatusCode(t, http.StatusNoContent, resp)
+		})
+	}
+}
+
+func staticCredsURL(roleName string) string {
+	return fmt.Sprintf("/v1/openstack/static-creds/%s", roleName)
+}
+
+func cloudToStaticRoleMap(data testStaticCase) map[string]interface{} {
+	return fixtures.SanitizedMap(map[string]interface{}{
+		"cloud":       data.cloud,
+		"project_id":  data.projectID,
+		"domain_id":   data.domainID,
+		"secret_type": data.secretType,
+		"username":    data.username,
+		"extensions":  data.extensions,
+	})
+}
+
+func getAllRoles(t *testing.T, client *gophercloud.ServiceClient) map[string]roles.Role {
+	rolePages, err := roles.List(client, nil).AllPages()
+	require.NoError(t, err)
+
+	roleList, err := roles.ExtractRoles(rolePages)
+	require.NoError(t, err)
+
+	result := make(map[string]roles.Role, len(roleList))
+
+	for _, role := range roleList {
+		result[role.Name] = role
+	}
+
+	return result
+}
+
+func userSetup(t *testing.T, client *gophercloud.ServiceClient, data testStaticCase, aux *AuxiliaryData, roleID string) string {
+	createUserOpts := users.CreateOpts{
+		Name:             data.username,
+		Description:      "Static user",
+		DefaultProjectID: aux.ProjectID,
+		DomainID:         aux.DomainID,
+		Password:         openstack.RandomString(openstack.PwdDefaultSet, 16),
+	}
+	user, err := users.Create(client, createUserOpts).Extract()
+	require.NoError(t, err)
+
+	assignOpts := roles.AssignOpts{
+		UserID:    user.ID,
+		ProjectID: aux.ProjectID,
+	}
+
+	err = roles.Assign(client, roleID, assignOpts).ExtractErr()
+	require.NoError(t, err)
+
+	return user.ID
+}
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/gophercloud/gophercloud/acceptance/tools"
+	"github.com/gophercloud/gophercloud/openstack/identity/v3/users"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/opentelekomcloud/vault-plugin-secrets-openstack/openstack"
 	"github.com/stretchr/testify/assert"
@@ -23,7 +24,6 @@ type staticRoleData struct {
 	ProjectID        string                 `json:"project_id"`
 	ProjectName      string                 `json:"project_name"`
 	Extensions       map[string]interface{} `json:"extensions"`
-	Root             bool                   `json:"root"`
 	SecretType       string                 `json:"secret_type"`
 	Username         string                 `json:"username"`
 }
@@ -42,17 +42,40 @@ func extractStaticRoleData(t *testing.T, resp *http.Response) *staticRoleData {
 func (p *PluginTest) TestStaticRoleLifecycle() {
 	t := p.T()
 
-	cloud := &openstack.OsCloud{
-		Name:             openstack.RandomString(openstack.NameDefaultSet, 10),
-		AuthURL:          "https://example.com/v3",
-		UserDomainName:   openstack.RandomString(openstack.NameDefaultSet, 10),
-		Username:         openstack.RandomString(openstack.NameDefaultSet, 10),
-		Password:         openstack.RandomString(openstack.PwdDefaultSet, 10),
-		UsernameTemplate: "u-{{ .RoleName }}-{{ random 4 }}",
+	cloud := openstackCloudConfig(t)
+	require.NotEmpty(t, cloud)
+
+	client, aux := openstackClient(t)
+
+	dataCloud := map[string]interface{}{
+		"auth_url":         cloud.AuthURL,
+		"username":         cloud.Username,
+		"password":         cloud.Password,
+		"user_domain_name": cloud.UserDomainName,
 	}
-	p.makeCloud(cloud)
 
-	data := expectedStaticRoleData(cloud.Name)
+	resp, err := p.vaultDo(
+		http.MethodPost,
+		cloudURL(cloudName),
+		dataCloud,
+	)
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusNoContent, resp.StatusCode, readJSONResponse(t, resp))
+
+	createUserOpts := users.CreateOpts{
+		Name:        "vault-test",
+		Description: "Static user",
+		DomainID:    aux.DomainID,
+		Password:    openstack.RandomString(openstack.PwdDefaultSet, 16),
+	}
+	user, err := users.Create(client, createUserOpts).Extract()
+	require.NoError(t, err)
+
+	t.Cleanup(func() {
+		require.NoError(t, users.Delete(client, user.ID).ExtractErr())
+	})
+
+	data := expectedStaticRoleData(cloud.Name, aux)
 	roleName := "test-write"
 	t.Run("WriteRole", func(t *testing.T) {
 		resp, err := p.vaultDo(
@@ -74,12 +97,10 @@ func (p *PluginTest) TestStaticRoleLifecycle() {
 
 		expected := &staticRoleData{
 			Cloud:            data["cloud"].(string),
-			TTL:              data["ttl"].(time.Duration),
 			RotationDuration: data["rotation_duration"].(time.Duration),
 			ProjectID:        data["project_id"].(string),
 			ProjectName:      data["project_name"].(string),
 			Extensions:       data["extensions"].(map[string]interface{}),
-			Root:             data["root"].(bool),
 			SecretType:       data["secret_type"].(string),
 			Username:         data["username"].(string),
 		}
@@ -112,17 +133,17 @@ func staticRoleURL(name string) string {
 	return fmt.Sprintf("/v1/openstack/static-role/%s", name)
 }
 
-func expectedStaticRoleData(cloudName string) map[string]interface{} {
+func expectedStaticRoleData(cloudName string, aux *AuxiliaryData) map[string]interface{} {
 	expectedMap := map[string]interface{}{
 		"cloud":             cloudName,
 		"ttl":               time.Hour / time.Second,
 		"rotation_duration": time.Hour / time.Second,
-		"project_id":        "",
+		"project_id":        aux.ProjectID,
+		"domain_id":         aux.DomainID,
 		"project_name":      tools.RandomString("p", 5),
 		"extensions":        map[string]interface{}{},
-		"root":              false,
 		"secret_type":       "password",
-		"username":          "static-test",
+		"username":          "vault-test",
 	}
 	return expectedMap
 }
@@ -440,10 +440,6 @@ created. If the role exists, it will be updated with the new attributes.
 
 - `username` `(string: <required>)` - Specifies username of user managed by the static role.
 
-- `root` `(bool: <optional>)` - Specifies whenever to use the root user as a role actor.
-  If set to `true`, `secret_type` can't be set to `password`.
-  If set to `true`, `ttl` value is ignored.
-
 - `rotation_duration` `(string: "1h")` - Specifies password rotation time value for the static user as a
   string duration with time suffix.
 
@@ -492,17 +488,6 @@ $ curl \
 }
 ```
 
-#### Creating a static role using root user
-
-```json
-{
-  "cloud": "example-cloud",
-  "root": true,
-  "project_name": "test",
-  "username": "test-user"
-}
-```
-
 #### Creating a static role for password-based access
 
 ```json
@@ -585,3 +570,74 @@ $ curl \
   }
 }
 ```
+
+## Read Static Role Credentials
+
+This endpoint returns user credentials based on the named static role.
+
+| Method   | Path                            |
+|:---------|:--------------------------------|
+| `GET`    | `/openstack/static-creds/:name` |
+
+### Parameters
+
+- `name` (`string: <required>`) - Specifies the name of the role to return credentials against.
+
+### Sample Request
+
+```shell
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/openstack/static-creds/example-role
+```
+
+### Sample Responses
+
+#### Credentials for the token-type static role
+
+```json
+{
+  "data": {
+    "auth": {
+      "auth_url": "https://example.com/v3/",
+      "token": "gAAAAABiA6Xfybumdwd84qvMDJKYOaauWxSvG9ItslSr5w0Mb...",
+      "project_name": "test",
+      "project_domain_id": "Default"
+    },
+    "auth_type": "token"
+  }
+}
+```
+
+#### Credentials for the password-type static role with project scope
+
+```json
+{
+  "data": {
+    "auth": {
+      "auth_url": "https://example.com/v3/",
+      "username": "admin",
+      "password": "RcigTiYrJjVmEkrV71Cd",
+      "project_name": "test",
+      "project_domain_id": "Default"
+    },
+    "auth_type": "password"
+  }
+}
+```
+
+#### Credentials for the password-type static role with domain scope
+
+```json
+{
+  "data": {
+    "auth": {
+      "auth_url": "https://example.com/v3/",
+      "username": "admin",
+      "password": "RcigTiYrJjVmEkrV71Cd",
+      "user_domain_id": "Default"
+    },
+    "auth_type": "password"
+  }
+}
+```
@@ -54,6 +54,7 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 			b.pathStaticRole(),
 			b.pathRotateRoot(),
 			b.pathCreds(),
+			b.pathStaticCreds(),
 		},
 		Secrets: []*framework.Secret{
 			secretToken(b),