def test_guest_instance_type(self):
        """ Test that the guest instance type is passed through
        to run_instance().
        """
        aws_svc, encryptor_image, guest_image = \
            test_aws_service.build_aws_service()
        encrypted_ami_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id
        )

        def run_instance_callback(args):
            if args.image_id == encrypted_ami_id:
                self.assertEqual('t2.micro', args.instance_type)
            elif args.image_id == encryptor_image.id:
                self.assertEqual('m3.medium', args.instance_type)
            else:
                self.fail('Unexpected image: ' + args.image_id)

        aws_svc.run_instance_callback = run_instance_callback
        update_ami(
            aws_svc, encrypted_ami_id, encryptor_image.id, 'Test updated AMI',
            subnet_id='subnet-1', security_group_ids=['sg-1', 'sg-2'],
            enc_svc_class=DummyEncryptorService, guest_instance_type='t2.micro'
        )
    def test_subnet_and_security_groups(self):
        """ Test that the subnet and security group ids are passed through
        to run_instance().
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()
        encrypted_ami_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id
        )

        self.call_count = 0

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                self.call_count += 1
                self.assertEqual('subnet-1', args.subnet_id)
                self.assertEqual(['sg-1', 'sg-2'], args.security_group_ids)

        aws_svc.run_instance_callback = run_instance_callback
        ami_id = update_ami(
            aws_svc, encrypted_ami_id, encryptor_image.id,
            'Test updated AMI',
            subnet_id='subnet-1', security_group_ids=['sg-1', 'sg-2'],
            enc_svc_class=DummyEncryptorService
        )

        self.assertEqual(1, self.call_count)
        self.assertIsNotNone(ami_id)
    def test_subnet_with_security_groups(self):
        """ Test that the subnet and security groups are passed to the
        calls to AWSService.run_instance().
        """
        self.call_count = 0

        def run_instance_callback(args):
            self.call_count += 1
            self.assertEqual('subnet-1', args.subnet_id)
            if self.call_count == 1:
                # Snapshotter.
                self.assertIsNone(args.security_group_ids)
            elif self.call_count == 2:
                # Encryptor.
                self.assertEqual(['sg-1', 'sg-2'], args.security_group_ids)
            else:
                self.fail('Unexpected number of calls to run_instance()')

        aws_svc, encryptor_image, guest_image = build_aws_service()
        aws_svc.run_instance_callback = run_instance_callback
        encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id,
            subnet_id='subnet-1',
            security_group_ids=['sg-1', 'sg-2']
        )
    def test_brkt_env_encrypt(self):
        """ Test that we parse the brkt_env value and pass the correct
        values to user_data when launching the encryptor instance.
        """

        api_host_port = 'api.example.com:777'
        hsmproxy_host_port = 'hsmproxy.example.com:888'
        aws_svc, encryptor_image, guest_image = build_aws_service()

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                brkt_config = self._get_brkt_config_from_mime(args.user_data)
                d = json.loads(brkt_config)
                self.assertEquals(
                    api_host_port,
                    d['brkt']['api_host']
                )
                self.assertEquals(
                    hsmproxy_host_port,
                    d['brkt']['hsmproxy_host']
                )

        cli_args = '--brkt-env %s,%s' % (api_host_port, hsmproxy_host_port)
        values = instance_config_args_to_values(cli_args)
        brkt_env = brkt_cli.brkt_env_from_values(values)
        ic = make_instance_config(values, brkt_env)
        aws_svc.run_instance_callback = run_instance_callback
        encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id,
            instance_config=ic
        )
    def test_subnet_with_security_groups(self):
        """ Test that the subnet and security groups are passed to the
        calls to AWSService.run_instance().
        """
        self.call_count = 0

        def run_instance_callback(args):
            self.call_count += 1
            self.assertEqual('subnet-1', args.subnet_id)
            if self.call_count == 1:
                # Snapshotter.
                self.assertIsNone(args.security_group_ids)
            elif self.call_count == 2:
                # Encryptor.
                self.assertEqual(['sg-1', 'sg-2'], args.security_group_ids)
            else:
                self.fail('Unexpected number of calls to run_instance()')

        aws_svc, encryptor_image, guest_image = build_aws_service()
        aws_svc.run_instance_callback = run_instance_callback
        encrypt_ami.encrypt(aws_svc=aws_svc,
                            enc_svc_cls=DummyEncryptorService,
                            image_id=guest_image.id,
                            encryptor_ami=encryptor_image.id,
                            subnet_id='subnet-1',
                            security_group_ids=['sg-1', 'sg-2'])
    def test_subnet_without_security_groups(self):
        """ Test that we create the temporary security group in the subnet
        that the user specified.
        """
        self.security_group_was_created = False

        def create_security_group_callback(vpc_id):
            self.security_group_was_created = True
            self.assertEqual('vpc-1', vpc_id)

        aws_svc, encryptor_image, guest_image = build_aws_service()
        aws_svc.create_security_group_callback = \
            create_security_group_callback

        subnet = Subnet()
        subnet.id = 'subnet-1'
        subnet.vpc_id = 'vpc-1'
        aws_svc.subnets = {subnet.id: subnet}

        encrypt_ami.encrypt(aws_svc=aws_svc,
                            enc_svc_cls=DummyEncryptorService,
                            image_id=guest_image.id,
                            encryptor_ami=encryptor_image.id,
                            subnet_id='subnet-1')
        self.assertTrue(self.security_group_was_created)
    def test_clean_up_root_snapshot(self):
        """ Test that we clean up the root snapshot if an exception is
        raised while waiting for it to complete.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()
        guest_instance = aws_svc.run_instance(guest_image.id)
        self.snapshot = None
        self.snapshot_was_deleted = False

        def get_snapshot_callback(snapshot):
            """ Simulate an exception being raised while waiting for the
            snapshot to complete.
            """
            raise TestException()

        def create_snapshot_callback(volume_id, snapshot):
            self.snapshot = snapshot

        def delete_snapshot_callback(snapshot_id):
            self.assertEqual(self.snapshot.id, snapshot_id)
            self.snapshot_was_deleted = True

        aws_svc.get_snapshot_callback = get_snapshot_callback
        aws_svc.create_snapshot_callback = create_snapshot_callback
        aws_svc.delete_snapshot_callback = delete_snapshot_callback

        with self.assertRaises(TestException):
            encrypt_ami._snapshot_root_volume(
                aws_svc, guest_instance, guest_image.id)
        self.assertTrue(self.snapshot_was_deleted)
    def test_terminate_guest(self):
        """ Test that we terminate the guest instance if an exception is
        raised while waiting for it to come up.
        """
        self.terminate_instance_called = False
        self.instance_id = None

        def get_instance_callback(instance):
            self.instance_id = instance.id
            raise TestException('Test')

        def terminate_instance_callback(instance):
            self.terminate_instance_called = True
            self.assertEqual(self.instance_id, instance.id)

        aws_svc, encryptor_image, guest_image = build_aws_service()
        aws_svc.get_instance_callback = get_instance_callback
        aws_svc.terminate_instance_callback = terminate_instance_callback

        try:
            encrypt_ami.encrypt(aws_svc=aws_svc,
                                enc_svc_cls=DummyEncryptorService,
                                image_id=guest_image.id,
                                encryptor_ami=encryptor_image.id)
        except TestException:
            pass

        self.assertTrue(self.terminate_instance_called)
    def test_terminate_guest(self):
        """ Test that we terminate the guest instance if an exception is
        raised while waiting for it to come up.
        """
        self.terminate_instance_called = False
        self.instance_id = None

        def get_instance_callback(instance):
            self.instance_id = instance.id
            raise TestException('Test')

        def terminate_instance_callback(instance):
            self.terminate_instance_called = True
            self.assertEqual(self.instance_id, instance.id)

        aws_svc, encryptor_image, guest_image = build_aws_service()
        aws_svc.get_instance_callback = get_instance_callback
        aws_svc.terminate_instance_callback = terminate_instance_callback

        try:
            encrypt_ami.encrypt(
                aws_svc=aws_svc,
                enc_svc_cls=DummyEncryptorService,
                image_id=guest_image.id,
                encryptor_ami=encryptor_image.id
            )
        except TestException:
            pass

        self.assertTrue(self.terminate_instance_called)
    def test_subnet_without_security_groups(self):
        """ Test that we create the temporary security group in the subnet
        that the user specified.
        """
        self.security_group_was_created = False

        def create_security_group_callback(vpc_id):
            self.security_group_was_created = True
            self.assertEqual('vpc-1', vpc_id)

        aws_svc, encryptor_image, guest_image = build_aws_service()
        aws_svc.create_security_group_callback = \
            create_security_group_callback

        subnet = Subnet()
        subnet.id = 'subnet-1'
        subnet.vpc_id = 'vpc-1'
        aws_svc.subnets = {subnet.id: subnet}

        encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id,
            subnet_id='subnet-1'
        )
        self.assertTrue(self.security_group_was_created)
    def test_security_group_eventual_consistency(self):
        """ Test that we handle eventually consistency issues when creating
        a temporary security group.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        self.call_count = 0

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                self.call_count += 1
                if self.call_count < 3:
                    # Simulate eventual consistency error while creating
                    # security group.
                    e = EC2ResponseError(None, None)
                    e.error_code = 'InvalidGroup.NotFound'
                    raise e

        aws_svc.run_instance_callback = run_instance_callback

        encrypt_ami.encrypt(aws_svc=aws_svc,
                            enc_svc_cls=DummyEncryptorService,
                            image_id=guest_image.id,
                            encryptor_ami=encryptor_image.id)

        self.assertEquals(3, self.call_count)
    def test_clean_up_encryptor_instance(self):
        """ Test that we clean up the encryptor instance if an exception is
        raised inside _run_encryptor_instance().
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        self.encryptor_instance_id = None
        self.encryptor_terminated = False

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                self.encryptor_instance_id = args.instance.id

        def create_tags_callback(resource_id, name, description):
            if resource_id == self.encryptor_instance_id:
                raise TestException()

        def terminate_instance_callback(instance_id):
            if instance_id == self.encryptor_instance_id:
                self.encryptor_terminated = True

        aws_svc.run_instance_callback = run_instance_callback
        aws_svc.create_tags_callback = create_tags_callback
        aws_svc.terminate_instance_callback = terminate_instance_callback

        with self.assertRaises(TestException):
            encrypt_ami.encrypt(
                aws_svc=aws_svc,
                enc_svc_cls=DummyEncryptorService,
                image_id=guest_image.id,
                encryptor_ami=encryptor_image.id
            )

        self.assertTrue(self.encryptor_terminated)
    def test_delete_orphaned_volumes(self):
        """ Test that we clean up instance volumes that are orphaned by AWS.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        # Simulate a tagged orphaned volume.
        volume = Volume()
        volume.id = test_aws_service.new_id()
        aws_svc.volumes[volume.id] = volume
        aws_svc.tagged_volumes.append(volume)

        # Verify that lookup succeeds before encrypt().
        self.assertEqual(volume, aws_svc.get_volume(volume.id))
        self.assertEqual([volume],
                         aws_svc.get_volumes(
                             tag_key=encrypt_ami.TAG_ENCRYPTOR_SESSION_ID,
                             tag_value='123'))

        encrypt_ami.encrypt(aws_svc=aws_svc,
                            enc_svc_cls=DummyEncryptorService,
                            image_id=guest_image.id,
                            encryptor_ami=encryptor_image.id)

        # Verify that the volume was deleted.
        self.assertIsNone(aws_svc.volumes.get(volume.id, None))
    def test_brkt_env_encrypt(self):
        """ Test that we parse the brkt_env value and pass the correct
        values to user_data when launching the encryptor instance.
        """

        api_host_port = 'api.example.com:777'
        hsmproxy_host_port = 'hsmproxy.example.com:888'
        aws_svc, encryptor_image, guest_image = build_aws_service()

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                brkt_config = self._get_brkt_config_from_mime(args.user_data)
                d = json.loads(brkt_config)
                self.assertEquals(api_host_port, d['brkt']['api_host'])
                self.assertEquals(hsmproxy_host_port,
                                  d['brkt']['hsmproxy_host'])

        cli_args = '--brkt-env %s,%s' % (api_host_port, hsmproxy_host_port)
        values = instance_config_args_to_values(cli_args)
        brkt_env = brkt_cli.brkt_env_from_values(values)
        ic = make_instance_config(values, brkt_env)
        aws_svc.run_instance_callback = run_instance_callback
        encrypt_ami.encrypt(aws_svc=aws_svc,
                            enc_svc_cls=DummyEncryptorService,
                            image_id=guest_image.id,
                            encryptor_ami=encryptor_image.id,
                            instance_config=ic)
    def test_delete_orphaned_volumes(self):
        """ Test that we clean up instance volumes that are orphaned by AWS.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        # Simulate a tagged orphaned volume.
        volume = Volume()
        volume.id = test_aws_service.new_id()
        aws_svc.volumes[volume.id] = volume
        aws_svc.tagged_volumes.append(volume)

        # Verify that lookup succeeds before encrypt().
        self.assertEqual(volume, aws_svc.get_volume(volume.id))
        self.assertEqual(
            [volume],
            aws_svc.get_volumes(
                tag_key=encrypt_ami.TAG_ENCRYPTOR_SESSION_ID, tag_value='123')
        )

        encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id
        )

        # Verify that the volume was deleted.
        self.assertIsNone(aws_svc.volumes.get(volume.id, None))
Beispiel #16
0
    def test_guest_instance_type(self):
        """ Test that the guest instance type is passed through
        to run_instance().
        """
        aws_svc, encryptor_image, guest_image = \
            test_aws_service.build_aws_service()
        encrypted_ami_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id)

        def run_instance_callback(args):
            if args.image_id == encrypted_ami_id:
                self.assertEqual('t2.micro', args.instance_type)
            elif args.image_id == encryptor_image.id:
                self.assertEqual('m3.medium', args.instance_type)
            else:
                self.fail('Unexpected image: ' + args.image_id)

        aws_svc.run_instance_callback = run_instance_callback
        update_ami(aws_svc,
                   encrypted_ami_id,
                   encryptor_image.id,
                   'Test updated AMI',
                   subnet_id='subnet-1',
                   security_group_ids=['sg-1', 'sg-2'],
                   enc_svc_class=DummyEncryptorService,
                   guest_instance_type='t2.micro')
Beispiel #17
0
    def test_subnet_and_security_groups(self):
        """ Test that the subnet and security group ids are passed through
        to run_instance().
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()
        encrypted_ami_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id)

        self.call_count = 0

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                self.call_count += 1
                self.assertEqual('subnet-1', args.subnet_id)
                self.assertEqual(['sg-1', 'sg-2'], args.security_group_ids)

        aws_svc.run_instance_callback = run_instance_callback
        ami_id = update_ami(aws_svc,
                            encrypted_ami_id,
                            encryptor_image.id,
                            'Test updated AMI',
                            subnet_id='subnet-1',
                            security_group_ids=['sg-1', 'sg-2'],
                            enc_svc_class=DummyEncryptorService)

        self.assertEqual(1, self.call_count)
        self.assertIsNotNone(ami_id)
    def test_brkt_env_update(self):
        """ Test that the Bracket environment is passed through to metavisor
        user data.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()
        encrypted_ami_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id)

        api_host_port = 'api.example.com:777'
        hsmproxy_host_port = 'hsmproxy.example.com:888'
        cli_args = '--brkt-env %s,%s' % (api_host_port, hsmproxy_host_port)
        values = instance_config_args_to_values(cli_args)
        brkt_env = brkt_cli.brkt_env_from_values(values)
        ic = make_instance_config(values, brkt_env)

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                brkt_config = self._get_brkt_config_from_mime(args.user_data)
                d = json.loads(brkt_config)
                self.assertEquals(api_host_port, d['brkt']['api_host'])
                self.assertEquals(hsmproxy_host_port,
                                  d['brkt']['hsmproxy_host'])
                self.assertEquals('updater', d['brkt']['solo_mode'])

        aws_svc.run_instance_callback = run_instance_callback
        update_ami(aws_svc,
                   encrypted_ami_id,
                   encryptor_image.id,
                   'Test updated AMI',
                   enc_svc_class=DummyEncryptorService,
                   instance_config=ic)
    def test_security_group_eventual_consistency(self):
        """ Test that we handle eventually consistency issues when creating
        a temporary security group.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        self.call_count = 0

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                self.call_count += 1
                if self.call_count < 3:
                    # Simulate eventual consistency error while creating
                    # security group.
                    e = EC2ResponseError(None, None)
                    e.error_code = 'InvalidGroup.NotFound'
                    raise e

        aws_svc.run_instance_callback = run_instance_callback

        encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id
        )

        self.assertEquals(3, self.call_count)
    def test_clean_up_root_snapshot(self):
        """ Test that we clean up the root snapshot if an exception is
        raised while waiting for it to complete.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()
        guest_instance = aws_svc.run_instance(guest_image.id)
        self.snapshot = None
        self.snapshot_was_deleted = False

        def get_snapshot_callback(snapshot):
            """ Simulate an exception being raised while waiting for the
            snapshot to complete.
            """
            raise TestException()

        def create_snapshot_callback(volume_id, snapshot):
            self.snapshot = snapshot

        def delete_snapshot_callback(snapshot_id):
            self.assertEqual(self.snapshot.id, snapshot_id)
            self.snapshot_was_deleted = True

        aws_svc.get_snapshot_callback = get_snapshot_callback
        aws_svc.create_snapshot_callback = create_snapshot_callback
        aws_svc.delete_snapshot_callback = delete_snapshot_callback

        with self.assertRaises(TestException):
            encrypt_ami._snapshot_root_volume(aws_svc, guest_instance,
                                              guest_image.id)
        self.assertTrue(self.snapshot_was_deleted)
 def test_smoke(self):
     """ Run the entire process and test that nothing obvious is broken.
     """
     aws_svc, encryptor_image, guest_image = build_aws_service()
     encrypted_ami_id = encrypt_ami.encrypt(
         aws_svc=aws_svc,
         enc_svc_cls=DummyEncryptorService,
         image_id=guest_image.id,
         encryptor_ami=encryptor_image.id)
     self.assertIsNotNone(encrypted_ami_id)
 def test_smoke(self):
     """ Run the entire process and test that nothing obvious is broken.
     """
     aws_svc, encryptor_image, guest_image = build_aws_service()
     encrypted_ami_id = encrypt_ami.encrypt(
         aws_svc=aws_svc,
         enc_svc_cls=DummyEncryptorService,
         image_id=guest_image.id,
         encryptor_ami=encryptor_image.id
     )
     self.assertIsNotNone(encrypted_ami_id)
    def test_encrypted_ami_name(self):
        """ Test that the name is set on the encrypted AMI when specified.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        name = 'Am I an AMI?'
        image_id = encrypt_ami.encrypt(aws_svc=aws_svc,
                                       enc_svc_cls=DummyEncryptorService,
                                       image_id=guest_image.id,
                                       encryptor_ami=encryptor_image.id,
                                       encrypted_ami_name=name)
        ami = aws_svc.get_image(image_id)
        self.assertEqual(name, ami.name)
    def test_encryption_error_console_output_not_available(self):
        """ Test that we handle the case when encryption fails and console
        output is not available.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()
        aws_svc.console_output_text = None

        try:
            encrypt_ami.encrypt(aws_svc=aws_svc,
                                enc_svc_cls=FailedEncryptionService,
                                image_id=guest_image.id,
                                encryptor_ami=encryptor_image.id)
            self.fail('Encryption should have failed')
        except encryptor_service.EncryptionError as e:
            self.assertIsNone(e.console_output_file)
    def test_encrypted_ami_name(self):
        """ Test that the name is set on the encrypted AMI when specified.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        name = 'Am I an AMI?'
        image_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id,
            encrypted_ami_name=name
        )
        ami = aws_svc.get_image(image_id)
        self.assertEqual(name, ami.name)
    def test_brkt_env_update(self):
        """ Test that the Bracket environment is passed through to metavisor
        user data.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()
        encrypted_ami_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id
        )

        api_host_port = 'api.example.com:777'
        hsmproxy_host_port = 'hsmproxy.example.com:888'
        network_host_port = 'network.example.com:999'
        cli_args = '--brkt-env %s,%s,%s' % (api_host_port, hsmproxy_host_port,
                                         network_host_port)
        values = instance_config_args_to_values(cli_args)
        ic = instance_config_from_values(values)

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                brkt_config = self._get_brkt_config_from_mime(args.user_data)
                d = json.loads(brkt_config)
                self.assertEquals(
                    api_host_port,
                    d['brkt']['api_host']
                )
                self.assertEquals(
                    hsmproxy_host_port,
                    d['brkt']['hsmproxy_host']
                )
                self.assertEquals(
                    network_host_port,
                    d['brkt']['network_host']
                )
                self.assertEquals(
                    'updater',
                    d['brkt']['solo_mode']
                )

        aws_svc.run_instance_callback = run_instance_callback
        update_ami(
            aws_svc, encrypted_ami_id, encryptor_image.id,
            'Test updated AMI',
            enc_svc_class=DummyEncryptorService,
            instance_config=ic
        )
    def test_guest_instance_type(self):
        """ Test that we use the specified instance type to launch the guest
        instance.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        def run_instance_callback(args):
            if args.image_id == guest_image.id:
                self.assertEqual('t2.micro', args.instance_type)

        aws_svc.run_instance_callback = run_instance_callback
        encrypt_ami.encrypt(aws_svc=aws_svc,
                            enc_svc_cls=DummyEncryptorService,
                            image_id=guest_image.id,
                            encryptor_ami=encryptor_image.id,
                            guest_instance_type='t2.micro')
 def test_register_ami_hvm(self):
     """ Test the new (non-legacy) code path in register_ami().
     """
     aws_svc, encryptor_image, guest_image = build_aws_service()
     encryptor_instance = aws_svc.run_instance(encryptor_image.id)
     guest_instance = aws_svc.run_instance(guest_image.id)
     mv_bdm = encryptor_instance.block_device_mapping
     mv_root_volume_id = mv_bdm['/dev/sda1'].volume_id
     encrypt_ami.register_ami(aws_svc,
                              encryptor_instance,
                              encryptor_image,
                              'Name',
                              'Description',
                              legacy=False,
                              guest_instance=guest_instance,
                              mv_root_id=mv_root_volume_id)
Beispiel #29
0
    def test_validate_subnet_and_security_groups(self):
        aws_svc, encryptor_image, guest_image = build_aws_service()

        # Subnet, no security groups.
        subnet = Subnet()
        subnet.id = 'subnet-1'
        subnet.vpc_id = 'vpc-1'
        aws_svc.subnets[subnet.id] = subnet

        brkt_cli.aws._validate_subnet_and_security_groups(
            aws_svc, subnet_id=subnet.id)

        # Security groups, no subnet.
        sg1 = aws_svc.create_security_group('test1', 'test')
        sg2 = aws_svc.create_security_group('test2', 'test')
        brkt_cli.aws._validate_subnet_and_security_groups(
            aws_svc, security_group_ids=[sg1.id, sg2.id]
        )

        # Security group and subnet.
        sg3 = aws_svc.create_security_group(
            'test3', 'test', vpc_id=subnet.vpc_id)
        brkt_cli.aws._validate_subnet_and_security_groups(
            aws_svc, subnet_id=subnet.id, security_group_ids=[sg3.id])

        # Security groups in different VPCs.
        with self.assertRaises(ValidationError):
            brkt_cli.aws._validate_subnet_and_security_groups(
                aws_svc, security_group_ids=[sg1.id, sg2.id, sg3.id])

        # Security group not in default subnet.
        with self.assertRaises(ValidationError):
            brkt_cli.aws._validate_subnet_and_security_groups(
                aws_svc, security_group_ids=[sg3.id])

        # Security group and subnet in different VPCs.
        sg4 = aws_svc.create_security_group(
            'test4', 'test', vpc_id='vpc-2')
        with self.assertRaises(ValidationError):
            brkt_cli.aws._validate_subnet_and_security_groups(
                aws_svc, subnet_id=subnet.id, security_group_ids=[sg4.id])

        # We don't validate security groups that have no vpc_id.
        sg5 = aws_svc.create_security_group('test5', 'test', vpc_id='vpc-2')
        sg5.vpc_id = None
        brkt_cli.aws._validate_subnet_and_security_groups(
            aws_svc, security_group_ids=[sg5.id])
Beispiel #30
0
    def test_validate_subnet_and_security_groups(self):
        aws_svc, encryptor_image, guest_image = build_aws_service()

        # Subnet, no security groups.
        subnet = Subnet()
        subnet.id = 'subnet-1'
        subnet.vpc_id = 'vpc-1'
        aws_svc.subnets[subnet.id] = subnet

        brkt_cli.aws._validate_subnet_and_security_groups(aws_svc,
                                                          subnet_id=subnet.id)

        # Security groups, no subnet.
        sg1 = aws_svc.create_security_group('test1', 'test')
        sg2 = aws_svc.create_security_group('test2', 'test')
        brkt_cli.aws._validate_subnet_and_security_groups(
            aws_svc, security_group_ids=[sg1.id, sg2.id])

        # Security group and subnet.
        sg3 = aws_svc.create_security_group('test3',
                                            'test',
                                            vpc_id=subnet.vpc_id)
        brkt_cli.aws._validate_subnet_and_security_groups(
            aws_svc, subnet_id=subnet.id, security_group_ids=[sg3.id])

        # Security groups in different VPCs.
        with self.assertRaises(ValidationError):
            brkt_cli.aws._validate_subnet_and_security_groups(
                aws_svc, security_group_ids=[sg1.id, sg2.id, sg3.id])

        # Security group not in default subnet.
        with self.assertRaises(ValidationError):
            brkt_cli.aws._validate_subnet_and_security_groups(
                aws_svc, security_group_ids=[sg3.id])

        # Security group and subnet in different VPCs.
        sg4 = aws_svc.create_security_group('test4', 'test', vpc_id='vpc-2')
        with self.assertRaises(ValidationError):
            brkt_cli.aws._validate_subnet_and_security_groups(
                aws_svc, subnet_id=subnet.id, security_group_ids=[sg4.id])

        # We don't validate security groups that have no vpc_id.
        sg5 = aws_svc.create_security_group('test5', 'test', vpc_id='vpc-2')
        sg5.vpc_id = None
        brkt_cli.aws._validate_subnet_and_security_groups(
            aws_svc, security_group_ids=[sg5.id])
    def test_encryption_error_console_output_not_available(self):
        """ Test that we handle the case when encryption fails and console
        output is not available.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()
        aws_svc.console_output_text = None

        try:
            encrypt_ami.encrypt(
                aws_svc=aws_svc,
                enc_svc_cls=FailedEncryptionService,
                image_id=guest_image.id,
                encryptor_ami=encryptor_image.id
            )
            self.fail('Encryption should have failed')
        except encryptor_service.EncryptionError as e:
            self.assertIsNone(e.console_output_file)
Beispiel #32
0
    def test_update_error_console_output(self):
        """ Test that when an update failure occurs, we write the
        console log to a temp file.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        encrypted_ami_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id
        )

        # Create callbacks that make sure that we stop the updater
        # instance before collecting logs.
        self.updater_instance = None

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                self.updater_instance = args.instance

        self.updater_stopped = False

        def stop_instance_callback(instance):
            if (self.updater_instance and
                    instance.id == self.updater_instance.id):
                self.updater_stopped = True

        aws_svc.run_instance_callback = run_instance_callback
        aws_svc.stop_instance_callback = stop_instance_callback

        try:
            update_ami(
                aws_svc, encrypted_ami_id, encryptor_image.id,
                'Test updated AMI',
                enc_svc_class=FailedEncryptionService
            )
            self.fail('Update should have failed')
        except encryptor_service.EncryptionError as e:
            with open(e.console_output_file.name) as f:
                content = f.read()
                self.assertEquals(
                    test_aws_service.CONSOLE_OUTPUT_TEXT, content)
            os.remove(e.console_output_file.name)

        self.assertTrue(self.updater_stopped)
Beispiel #33
0
    def test_update_error_console_output(self):
        """ Test that when an update failure occurs, we write the
        console log to a temp file.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        encrypted_ami_id = encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id)

        # Create callbacks that make sure that we stop the updater
        # instance before collecting logs.
        self.updater_instance = None

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                self.updater_instance = args.instance

        self.updater_stopped = False

        def stop_instance_callback(instance):
            if (self.updater_instance
                    and instance.id == self.updater_instance.id):
                self.updater_stopped = True

        aws_svc.run_instance_callback = run_instance_callback
        aws_svc.stop_instance_callback = stop_instance_callback

        try:
            update_ami(aws_svc,
                       encrypted_ami_id,
                       encryptor_image.id,
                       'Test updated AMI',
                       enc_svc_class=FailedEncryptionService)
            self.fail('Update should have failed')
        except encryptor_service.EncryptionError as e:
            with open(e.console_output_file.name) as f:
                content = f.read()
                self.assertEquals(test_aws_service.CONSOLE_OUTPUT_TEXT,
                                  content)
            os.remove(e.console_output_file.name)

        self.assertTrue(self.updater_stopped)
    def test_guest_instance_type(self):
        """ Test that we use the specified instance type to launch the guest
        instance.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        def run_instance_callback(args):
            if args.image_id == guest_image.id:
                self.assertEqual('t2.micro', args.instance_type)

        aws_svc.run_instance_callback = run_instance_callback
        encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id,
            guest_instance_type='t2.micro'
        )
 def test_register_ami_hvm(self):
     """ Test the new (non-legacy) code path in register_ami().
     """
     aws_svc, encryptor_image, guest_image = build_aws_service()
     encryptor_instance = aws_svc.run_instance(encryptor_image.id)
     guest_instance = aws_svc.run_instance(guest_image.id)
     mv_bdm = encryptor_instance.block_device_mapping
     mv_root_volume_id = mv_bdm['/dev/sda1'].volume_id
     encrypt_ami.register_ami(
         aws_svc,
         encryptor_instance,
         encryptor_image,
         'Name',
         'Description',
         legacy=False,
         guest_instance=guest_instance,
         mv_root_id=mv_root_volume_id
     )
Beispiel #36
0
    def test_duplicate_image_name(self):
        """ Test that we detect name collisions with the encrypted image.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        # No name.
        values = DummyValues()
        values.ami = guest_image.id
        brkt_cli.aws._validate(aws_svc, values, encryptor_image.id)

        # Unique name.
        guest_image.name = 'My image'
        values.encrypted_ami_name = 'Proposed name'
        brkt_cli.aws._validate(aws_svc, values, encryptor_image.id)

        # Name collision.
        values.encrypted_ami_name = guest_image.name
        with self.assertRaises(ValidationError):
            brkt_cli.aws._validate(aws_svc, values, encryptor_image.id)
Beispiel #37
0
    def test_duplicate_image_name(self):
        """ Test that we detect name collisions with the encrypted image.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        # No name.
        values = DummyValues()
        values.ami = guest_image.id
        brkt_cli.aws._validate(aws_svc, values, encryptor_image.id)

        # Unique name.
        guest_image.name = 'My image'
        values.encrypted_ami_name = 'Proposed name'
        brkt_cli.aws._validate(aws_svc, values, encryptor_image.id)

        # Name collision.
        values.encrypted_ami_name = guest_image.name
        with self.assertRaises(ValidationError):
            brkt_cli.aws._validate(aws_svc, values, encryptor_image.id)
    def test_instance_type(self):
        """ Test that we launch the guest as m3.medium and the encryptor
        as c3.xlarge.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        def run_instance_callback(args):
            if args.image_id == guest_image.id:
                self.assertEqual('m3.medium', args.instance_type)
                self.assertFalse(args.ebs_optimized)
            elif args.image_id == encryptor_image.id:
                self.assertEqual('c3.xlarge', args.instance_type)
                self.assertTrue(args.ebs_optimized)
            else:
                self.fail('Unexpected image id: ' + args.image_id)

        aws_svc.run_instance_callback = run_instance_callback
        encrypt_ami.encrypt(aws_svc=aws_svc,
                            enc_svc_cls=DummyEncryptorService,
                            image_id=guest_image.id,
                            encryptor_ami=encryptor_image.id)
    def test_instance_type(self):
        """ Test that we launch the guest as m3.medium and the encryptor
        as c3.xlarge.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        def run_instance_callback(args):
            if args.image_id == guest_image.id:
                self.assertEqual('m3.medium', args.instance_type)
                self.assertFalse(args.ebs_optimized)
            elif args.image_id == encryptor_image.id:
                self.assertEqual('c3.xlarge', args.instance_type)
                self.assertTrue(args.ebs_optimized)
            else:
                self.fail('Unexpected image id: ' + args.image_id)

        aws_svc.run_instance_callback = run_instance_callback
        encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id
        )
    def test_no_terminate_encryptor_on_failure(self):
        """ Test that when terminate_encryptor_on_failure=False, we terminate
        the encryptor only when encryption succeeds.
        """
        aws_svc, encryptor_image, guest_image = build_aws_service()

        self.guest_instance_id = None
        self.guest_terminated = False
        self.encryptor_instance_id = None
        self.encryptor_terminated = False
        self.security_group_deleted = False
        self.snapshot_deleted = False

        def run_instance_callback(args):
            if args.image_id == encryptor_image.id:
                self.encryptor_instance_id = args.instance.id
            if args.image_id == guest_image.id:
                self.guest_instance_id = args.instance.id

        def delete_snapshot_callback(snapshot_id):
            self.snapshot_deleted = True

        def terminate_instance_callback(instance_id):
            self.assertIsNotNone(self.encryptor_instance_id)
            if instance_id == self.encryptor_instance_id:
                self.encryptor_terminated = True
            if instance_id == self.guest_instance_id:
                self.guest_terminated = True

        def delete_security_group_callback(sg_id):
            self.security_group_deleted = True

        # Encryption succeeded.  Make sure the encryptor was terminated.
        aws_svc.run_instance_callback = run_instance_callback
        aws_svc.delete_snapshot_callback = delete_snapshot_callback
        aws_svc.terminate_instance_callback = terminate_instance_callback
        aws_svc.delete_security_group_callback = \
            delete_security_group_callback

        encrypt_ami.encrypt(
            aws_svc=aws_svc,
            enc_svc_cls=DummyEncryptorService,
            image_id=guest_image.id,
            encryptor_ami=encryptor_image.id,
            terminate_encryptor_on_failure=False
        )

        self.assertIsNotNone(self.encryptor_instance_id)
        self.assertTrue(self.snapshot_deleted)
        self.assertTrue(self.guest_terminated)
        self.assertTrue(self.encryptor_terminated)
        self.assertTrue(self.security_group_deleted)

        # Encryption failed.  Make sure the encryptor was not terminated.
        self.guest_instance_id = None
        self.guest_terminated = False
        self.encryptor_instance_id = None
        self.encryptor_terminated = False
        self.security_group_deleted = False
        self.snapshot_deleted = False

        with self.assertRaises(encryptor_service.EncryptionError):
            encrypt_ami.encrypt(
                aws_svc=aws_svc,
                enc_svc_cls=FailedEncryptionService,
                image_id=guest_image.id,
                encryptor_ami=encryptor_image.id,
                terminate_encryptor_on_failure=False
            )
        self.assertIsNotNone(self.encryptor_instance_id)
        self.assertTrue(self.snapshot_deleted)
        self.assertTrue(self.guest_terminated)
        self.assertFalse(self.encryptor_terminated)
        self.assertFalse(self.security_group_deleted)