def test_security_checklist(self):
"""Verify expected state with security-checklist."""
# Changes fixing the below expected failures will be made following
# this initial work to get validation in. There will be bugs targeted
# to each one and resolved independently where possible.
expected_failures = []
expected_passes = [
'validate-file-ownership',
'validate-file-permissions',
'validate-uses-keystone',
]
tls_checks = [
'validate-uses-tls-for-glance',
'validate-uses-tls-for-keystone',
]
if zaza.model.get_relation_id('nova-cloud-controller',
'vault',
remote_interface_name='certificates'):
expected_passes.extend(tls_checks)
else:
expected_failures.extend(tls_checks)
for unit in zaza.model.get_units(self.application_name,
model_name=self.model_name):
logging.info('Running `security-checklist` action'
' on unit {}'.format(unit.entity_id))
test_utils.audit_assertions(
zaza.model.run_action(unit.entity_id,
'security-checklist',
model_name=self.model_name,
action_params={}),
expected_passes,
expected_failures,
expected_to_pass=not len(expected_failures))
def test_security_checklist(self):
"""Verify expected state with security checklist."""
logging.info("Testing security checklist.")
expected_failures = [
'csrf_cookie_set',
'disable_password_reveal',
'disallow-iframe-embed',
'password-validator-is-not-default',
'securie_proxy_ssl_header_is_set',
'session_cookie-httponly',
'session-cookie-store',
]
expected_passes = [
'disable_password_autocomplete', 'enforce-password-check',
'validate-file-ownership', 'validate-file-permissions'
]
logging.info('Running `security-checklist` action'
' on {} leader'.format(self.application_name))
test_utils.audit_assertions(zaza_model.run_action_on_leader(
self.application_name,
'security-checklist',
model_name=self.model_name,
action_params={}),
expected_passes,
expected_failures,
expected_to_pass=False)
def test_security_checklist(self):
"""Verify expected state with security-checklist."""
# Changes fixing the below expected failures will be made following
# this initial work to get validation in. There will be bugs targeted
# to each one and resolved independently where possible.
expected_failures = [
'check-max-request-body-size',
'is-volume-encryption-enabled',
'uses-tls-for-glance',
'uses-tls-for-nova',
'validate-uses-tls-for-keystone',
]
expected_passes = [
'validate-file-ownership',
'validate-file-permissions',
'validate-nas-uses-secure-environment',
'validate-uses-keystone',
]
for unit in zaza.model.get_units('cinder', model_name=self.model_name):
logging.info('Running `security-checklist` action'
' on unit {}'.format(unit.entity_id))
test_utils.audit_assertions(
zaza.model.run_action(
unit.entity_id,
'security-checklist',
model_name=self.model_name,
action_params={}),
expected_passes,
expected_failures,
expected_to_pass=False)
def test_security_checklist(self):
"""Verify expected state with security-checklist."""
# Changes fixing the below expected failures will be made following
# this initial work to get validation in. There will be bugs targeted
# to each one and resolved independently where possible.
expected_failures = [
]
expected_passes = [
'check-max-request-body-size',
'disable-admin-token',
'insecure-debug-is-false',
'uses-fernet-token-after-default',
'uses-sha256-for-hashing-tokens',
'validate-file-ownership',
'validate-file-permissions',
]
logging.info('Running `security-checklist` action'
' on Keystone leader unit')
test_utils.audit_assertions(
zaza.model.run_action_on_leader(
'keystone',
'security-checklist',
action_params={}),
expected_passes,
expected_failures,
expected_to_pass=True)
def test_security_checklist(self):
"""Verify expected state with security-checklist."""
tls_checks = [
'validate-uses-tls-for-keystone',
]
expected_failures = [
'validate-enables-tls', # LP: #1851610
]
expected_passes = [
'validate-file-ownership',
'validate-file-permissions',
'validate-uses-keystone',
]
if zaza.model.get_relation_id('neutron-api',
'vault',
remote_interface_name='certificates'):
expected_passes.extend(tls_checks)
else:
expected_failures.extend(tls_checks)
for unit in zaza.model.get_units('neutron-api',
model_name=self.model_name):
logging.info('Running `security-checklist` action'
' on unit {}'.format(unit.entity_id))
test_utils.audit_assertions(zaza.model.run_action(
unit.entity_id,
'security-checklist',
model_name=self.model_name,
action_params={}),
expected_passes,
expected_failures,
expected_to_pass=False)
def test_osd_security_checklist(self):
"""Verify expected state with security-checklist."""
expected_failures = []
expected_passes = [
'validate-file-ownership',
'validate-file-permissions',
]
logging.info('Running `security-checklist` action'
' on Ceph OSD leader unit')
test_utils.audit_assertions(zaza_model.run_action_on_leader(
'ceph-osd', 'security-checklist', action_params={}),
expected_passes,
expected_failures,
expected_to_pass=True)
def test_security_checklist(self):
"""Verify expected state with security-checklist."""
expected_failures = []
expected_passes = [
'validate-file-ownership',
'validate-file-permissions',
]
expected_to_pass = True
# override settings depending on application name so we can reuse
# the class for multiple charms
if self.application_name == 'neutron-api':
tls_checks = [
'validate-uses-tls-for-keystone',
]
expected_failures = [
'validate-enables-tls', # LP: #1851610
]
expected_passes.append('validate-uses-keystone')
if zaza.model.get_relation_id(
'neutron-api',
'vault',
remote_interface_name='certificates'):
expected_passes.extend(tls_checks)
else:
expected_failures.extend(tls_checks)
expected_to_pass = False
for unit in zaza.model.get_units(self.application_name,
model_name=self.model_name):
logging.info('Running `security-checklist` action'
' on unit {}'.format(unit.entity_id))
test_utils.audit_assertions(
zaza.model.run_action(
unit.entity_id,
'security-checklist',
model_name=self.model_name,
action_params={}),
expected_passes,
expected_failures,
expected_to_pass=expected_to_pass)
