def test_ensure_vtpm_secret(self, mock_get_manager):
        """Check behavior when instance already has an associated secret.

        We should attempt to retrieve the details via castellan.
        """
        instance = objects.Instance()
        instance.system_metadata = {'vtpm_secret_uuid': uuids.vtpm}
        passphrase = FakePassphrase()
        mock_get_manager.return_value.get.return_value = passphrase

        s_id, s_encoded = crypto.ensure_vtpm_secret(self.ctxt, instance)

        mock_get_manager.return_value.get.assert_called_once_with(
            self.ctxt, uuids.vtpm)
        self.assertEqual(passphrase.id, s_id)
        self.assertEqual(passphrase.get_encoded(), s_encoded)
    def test_ensure_vtpm_secret_no_secret(self, mock_get_manager, mock_pass):
        """Check behavior when instance has no associated vTPM secret.

        We should create a new one.
        """
        instance = objects.Instance()
        instance.uuid = uuids.instance
        instance.system_metadata = {}
        mock_get_manager.return_value.store.return_value = uuids.secret
        passphrase = FakePassphrase()
        mock_pass.return_value = passphrase

        with mock.patch.object(instance, 'save') as mock_save:
            secret_uuid, _ = crypto.ensure_vtpm_secret(self.ctxt, instance)

        mock_pass.assert_called_once_with(mock.ANY, name=mock.ANY)
        mock_get_manager.return_value.store.assert_called_once_with(
            self.ctxt, passphrase)
        mock_save.assert_called_once()
        self.assertEqual(uuids.secret, secret_uuid)