def test_003_test_overide_is_observed(self):
"""Test that the override is observed by the underlying service."""
if self._test_name is None:
logging.info("Doing policyd override for {}"
.format(self._service_name))
else:
logging.info(self._test_name)
# note policyd override only works with Xenial-queens and so keystone
# is already v3
# Allow the overriden class to setup the environment before the policyd
# test is performed.
self.setup_for_attempt_operation(self.keystone_ips[0])
# verify that the operation works before performing the policyd
# override.
zaza_model.block_until_wl_status_info_starts_with(
self.application_name, "PO:", negate_match=True)
zaza_model.block_until_all_units_idle()
logging.info("First verify that operation works prior to override")
try:
self.get_client_and_attempt_operation(self.keystone_ips[0])
except Exception as e:
self.cleanup_for_attempt_operation(self.keystone_ips[0])
raise zaza_exceptions.PolicydError(
'Service action failed and should have passed. "{}"'
.format(str(e)))
# now do the policyd override.
logging.info("Doing policyd override with: {}".format(self._rule))
self._set_policy_with(self._rule)
zaza_model.block_until_all_units_idle()
# now make sure the operation fails
logging.info("Now verify that operation doesn't work with override")
try:
self.get_client_and_attempt_operation(self.keystone_ips[0])
raise zaza_exceptions.PolicydError(
"Service action passed and should have failed.")
except PolicydOperationFailedException:
pass
except zaza_exceptions.PolicydError as e:
logging.info("{}".format(str(e)))
raise
except Exception as e:
logging.info("exception was: {}".format(e.__class__.__name__))
import traceback
logging.info(traceback.format_exc())
self.cleanup_for_attempt_operation(self.keystone_ips[0])
raise zaza_exceptions.PolicydError(
'Service action failed in an unexpected way: {}'
.format(str(e)))
# clean out the policy and wait
self._set_config(False)
# check that the status no longer has "PO:" on it.
# we have to do it twice due to async races and that some info lines
# erase the PO: bit prior to actuall getting back to idle. The double
# check verifies that the charms have started, the idle waits until it
# is finished, and then the final check really makes sure they got
# switched off.
zaza_model.block_until_wl_status_info_starts_with(
self.application_name, "PO:", negate_match=True)
zaza_model.block_until_all_units_idle()
zaza_model.block_until_wl_status_info_starts_with(
self.application_name, "PO:", negate_match=True)
# Finally make sure it works again!
logging.info("Finally verify that operation works after removing the "
"override.")
try:
self.get_client_and_attempt_operation(self.keystone_ips[0])
except Exception as e:
raise zaza_exceptions.PolicydError(
'Service action failed and should have passed after removing '
'policy override: "{}"'
.format(str(e)))
finally:
self.cleanup_for_attempt_operation(self.keystone_ips[0])
def test_disable_service(self):
"""Test that service can be disabled."""
logging.info("Doing policyd override to disable listing domains")
self._set_policy_with({'rule.yaml': "{'identity:list_services': '!'}"})
# verify that the policy.d override does disable the endpoint
with self.config_change(
{
'preferred-api-version': self.default_api_version,
'use-policyd-override': 'False'
}, {
'preferred-api-version': '3',
'use-policyd-override': 'True'
},
application_name="keystone"):
zaza_model.block_until_all_units_idle()
for ip in self.keystone_ips:
try:
logging.info('keystone IP {}'.format(ip))
openrc = {
'API_VERSION': 3,
'OS_USERNAME': ch_keystone.DEMO_ADMIN_USER,
'OS_PASSWORD': ch_keystone.DEMO_ADMIN_USER_PASSWORD,
'OS_AUTH_URL': 'http://{}:5000/v3'.format(ip),
'OS_USER_DOMAIN_NAME': ch_keystone.DEMO_DOMAIN,
'OS_DOMAIN_NAME': ch_keystone.DEMO_DOMAIN,
}
if self.tls_rid:
openrc['OS_CACERT'] = \
openstack_utils.KEYSTONE_LOCAL_CACERT
openrc['OS_AUTH_URL'] = (openrc['OS_AUTH_URL'].replace(
'http', 'https'))
logging.info('keystone IP {}'.format(ip))
keystone_session = openstack_utils.get_keystone_session(
openrc, scope='DOMAIN')
keystone_client = (
openstack_utils.get_keystone_session_client(
keystone_session))
keystone_client.services.list()
raise zaza_exceptions.PolicydError(
'Retrieve service list as admin with project scoped '
'token passed and should have failed. IP = {}'.format(
ip))
except keystoneauth1.exceptions.http.Forbidden:
logging.info("keystone IP:{} policyd override disabled "
"services listing by demo user".format(ip))
# now verify (with the config off) that we can actually access
# these points
with self.config_change(
{'preferred-api-version': self.default_api_version},
{'preferred-api-version': '3'},
application_name="keystone"):
zaza_model.block_until_all_units_idle()
for ip in self.keystone_ips:
try:
logging.info('keystone IP {}'.format(ip))
openrc = {
'API_VERSION': 3,
'OS_USERNAME': ch_keystone.DEMO_ADMIN_USER,
'OS_PASSWORD': ch_keystone.DEMO_ADMIN_USER_PASSWORD,
'OS_AUTH_URL': 'http://{}:5000/v3'.format(ip),
'OS_USER_DOMAIN_NAME': ch_keystone.DEMO_DOMAIN,
'OS_DOMAIN_NAME': ch_keystone.DEMO_DOMAIN,
}
if self.tls_rid:
openrc['OS_CACERT'] = \
openstack_utils.KEYSTONE_LOCAL_CACERT
openrc['OS_AUTH_URL'] = (openrc['OS_AUTH_URL'].replace(
'http', 'https'))
logging.info('keystone IP {}'.format(ip))
keystone_session = openstack_utils.get_keystone_session(
openrc, scope='DOMAIN')
keystone_client = (
openstack_utils.get_keystone_session_client(
keystone_session))
keystone_client.services.list()
logging.info("keystone IP:{} without policyd override "
"services list working".format(ip))
except keystoneauth1.exceptions.http.Forbidden:
raise zaza_exceptions.PolicydError(
'Retrieve services list as demo user with project '
'scoped token passed and should have passed. IP = {}'.
format(ip))
logging.info('OK')