def get_product_streams(url):
"""Get product streams json data with retry."""
# There is a race between the images being available in glance and any
# metadata being written. Use tenacity to avoid this race.
client = requests.session()
json_data = client.get(url, verify=openstack_utils.get_cacert()).text
return json.loads(json_data)
def setUpClass(cls, application_name=None, model_alias=None):
"""Run setup for test class to create common resources."""
super(OpenStackBaseTest, cls).setUpClass(application_name, model_alias)
cls.keystone_session = openstack_utils.get_overcloud_keystone_session(
model_name=cls.model_name)
cls.cacert = openstack_utils.get_cacert()
cls.nova_client = (
openstack_utils.get_nova_session_client(cls.keystone_session))
def s3_setup():
"""Run setup of s3 options for Trilio."""
session = openstack_utils.get_overcloud_keystone_session()
ks_client = openstack_utils.get_keystone_session_client(session)
# Get token data so we can glean our user_id and project_id
token_data = ks_client.tokens.get_token_data(session.get_token())
project_id = token_data['token']['project']['id']
user_id = token_data['token']['user']['id']
# Store URL to service providing S3 compatible API
for entry in token_data['token']['catalog']:
if entry['type'] == 's3':
for endpoint in entry['endpoints']:
if endpoint['interface'] == 'public':
s3_region = endpoint['region']
s3_endpoint = endpoint['url']
# Create AWS compatible application credentials in Keystone
ec2_creds = ks_client.ec2.create(user_id, project_id)
cacert = openstack_utils.get_cacert()
kwargs = {
'region_name': s3_region,
'aws_access_key_id': ec2_creds.access,
'aws_secret_access_key': ec2_creds.secret,
'endpoint_url': s3_endpoint,
'verify': cacert,
}
s3 = boto3.resource('s3', **kwargs)
# Create bucket
bucket_name = 'zaza-trilio'
logging.info("Creating bucket: {}".format(bucket_name))
bucket = s3.Bucket(bucket_name)
bucket.create()
s3_config = {
'tv-s3-secret-key': ec2_creds.secret,
'tv-s3-access-key': ec2_creds.access,
'tv-s3-region-name': s3_region,
'tv-s3-bucket': bucket_name,
'tv-s3-endpoint-url': s3_endpoint
}
for app in ['trilio-wlm', 'trilio-data-mover']:
logging.info("Setting s3 config for {}".format(app))
zaza_model.set_application_config(app, s3_config)
test_config = lifecycle_utils.get_charm_config(fatal=False)
states = test_config.get('target_deploy_status', {})
states['trilio-wlm'] = {
'workload-status': 'blocked',
'workload-status-message': 'application not trusted'
}
zaza_model.wait_for_application_states(states=test_config.get(
'target_deploy_status', {}),
timeout=7200)
zaza_model.block_until_all_units_idle()
def test_end_user_domain_admin_access(self):
"""Verify that end-user domain admin does not have elevated privileges.
In addition to validating that the `policy.json` is written and the
service is restarted on config-changed, the test validates that our
`policy.json` is correct.
Catch regressions like LP: #1651989
"""
if (openstack_utils.get_os_release() <
openstack_utils.get_os_release('xenial_ocata')):
logging.info('skipping test < xenial_ocata')
return
with self.v3_keystone_preferred():
for ip in self.keystone_ips:
openrc = {
'API_VERSION': 3,
'OS_USERNAME': DEMO_ADMIN_USER,
'OS_PASSWORD': DEMO_ADMIN_USER_PASSWORD,
'OS_AUTH_URL': 'http://{}:5000/v3'.format(ip),
'OS_USER_DOMAIN_NAME': DEMO_DOMAIN,
'OS_DOMAIN_NAME': DEMO_DOMAIN,
}
if self.tls_rid:
openrc['OS_CACERT'] = openstack_utils.get_cacert()
openrc['OS_AUTH_URL'] = (
openrc['OS_AUTH_URL'].replace('http', 'https'))
logging.info('keystone IP {}'.format(ip))
keystone_session = openstack_utils.get_keystone_session(
openrc, scope='DOMAIN')
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
try:
# expect failure
keystone_client.domains.list()
except keystoneauth1.exceptions.http.Forbidden as e:
logging.debug('Retrieve domain list as end-user domain '
'admin NOT allowed...OK ({})'.format(e))
pass
else:
raise zaza_exceptions.KeystoneAuthorizationPermissive(
'Retrieve domain list as end-user domain admin '
'allowed when it should not be.')
logging.info('OK')
def _get_keystone_session(self, ip, openrc, scope='DOMAIN'):
"""Return the keystone session for the IP address passed.
:param ip: the IP address to get the session against.
:type ip: str
:param openrc: the params to authenticate with.
:type openrc: Dict[str, str]
:param scope: the scope of the token
:type scope: str
:returns: a keystone session to the IP address
:rtype: keystoneauth1.session.Session
"""
logging.info('Authentication for {} on keystone IP {}'.format(
openrc['OS_USERNAME'], ip))
if self.tls_rid:
openrc['OS_CACERT'] = openstack_utils.get_cacert()
openrc['OS_AUTH_URL'] = (openrc['OS_AUTH_URL'].replace(
'http', 'https'))
logging.info('keystone IP {}'.format(ip))
keystone_session = openstack_utils.get_keystone_session(openrc,
scope=scope)
return keystone_session
def _validate_token_data(openrc):
if self.tls_rid:
openrc['OS_CACERT'] = openstack_utils.get_cacert()
openrc['OS_AUTH_URL'] = (
openrc['OS_AUTH_URL'].replace('http', 'https'))
logging.info('keystone IP {}'.format(ip))
keystone_session = openstack_utils.get_keystone_session(
openrc)
keystone_client = openstack_utils.get_keystone_session_client(
keystone_session)
token = keystone_session.get_token()
if (openstack_utils.get_os_release() <
openstack_utils.get_os_release('xenial_ocata')):
if len(token) != 32:
raise zaza_exceptions.KeystoneWrongTokenProvider(
'We expected a UUID token and got this: "{}"'
.format(token))
else:
if len(token) < 180:
raise zaza_exceptions.KeystoneWrongTokenProvider(
'We expected a Fernet token and got this: "{}"'
.format(token))
logging.info('token: "{}"'.format(pprint.pformat(token)))
if (openstack_utils.get_os_release() <
openstack_utils.get_os_release('trusty_mitaka')):
logging.info('skip: tokens.get_token_data() not allowed prior '
'to trusty_mitaka')
return
# get_token_data call also gets the service catalog
token_data = keystone_client.tokens.get_token_data(token)
if token_data.get('token', {}).get('catalog', None) is None:
raise zaza_exceptions.KeystoneAuthorizationStrict(
# NOTE(fnordahl) the above call will probably throw a
# http.Forbidden exception, but just in case
'Regular end user not allowed to retrieve the service '
'catalog. ("{}")'.format(pprint.pformat(token_data)))
logging.info('token_data: "{}"'.format(pprint.pformat(token_data)))
