def test_security_checklist(self): """Verify expected state with security-checklist.""" # Changes fixing the below expected failures will be made following # this initial work to get validation in. There will be bugs targeted # to each one and resolved independently where possible. expected_failures = [] expected_passes = [ 'validate-file-ownership', 'validate-file-permissions', 'validate-uses-keystone', ] tls_checks = [ 'validate-uses-tls-for-glance', 'validate-uses-tls-for-keystone', ] if zaza.model.get_relation_id('nova-cloud-controller', 'vault', remote_interface_name='certificates'): expected_passes.extend(tls_checks) else: expected_failures.extend(tls_checks) for unit in zaza.model.get_units(self.application_name, model_name=self.model_name): logging.info('Running `security-checklist` action' ' on unit {}'.format(unit.entity_id)) test_utils.audit_assertions( zaza.model.run_action(unit.entity_id, 'security-checklist', model_name=self.model_name, action_params={}), expected_passes, expected_failures, expected_to_pass=not len(expected_failures))
def test_security_checklist(self): """Verify expected state with security checklist.""" logging.info("Testing security checklist.") expected_failures = [ 'csrf_cookie_set', 'disable_password_reveal', 'disallow-iframe-embed', 'password-validator-is-not-default', 'securie_proxy_ssl_header_is_set', 'session_cookie-httponly', 'session-cookie-store', ] expected_passes = [ 'disable_password_autocomplete', 'enforce-password-check', 'validate-file-ownership', 'validate-file-permissions' ] logging.info('Running `security-checklist` action' ' on {} leader'.format(self.application_name)) test_utils.audit_assertions(zaza_model.run_action_on_leader( self.application_name, 'security-checklist', model_name=self.model_name, action_params={}), expected_passes, expected_failures, expected_to_pass=False)
def test_security_checklist(self): """Verify expected state with security-checklist.""" # Changes fixing the below expected failures will be made following # this initial work to get validation in. There will be bugs targeted # to each one and resolved independently where possible. expected_failures = [ 'check-max-request-body-size', 'is-volume-encryption-enabled', 'uses-tls-for-glance', 'uses-tls-for-nova', 'validate-uses-tls-for-keystone', ] expected_passes = [ 'validate-file-ownership', 'validate-file-permissions', 'validate-nas-uses-secure-environment', 'validate-uses-keystone', ] for unit in zaza.model.get_units('cinder', model_name=self.model_name): logging.info('Running `security-checklist` action' ' on unit {}'.format(unit.entity_id)) test_utils.audit_assertions( zaza.model.run_action( unit.entity_id, 'security-checklist', model_name=self.model_name, action_params={}), expected_passes, expected_failures, expected_to_pass=False)
def test_security_checklist(self): """Verify expected state with security-checklist.""" # Changes fixing the below expected failures will be made following # this initial work to get validation in. There will be bugs targeted # to each one and resolved independently where possible. expected_failures = [ ] expected_passes = [ 'check-max-request-body-size', 'disable-admin-token', 'insecure-debug-is-false', 'uses-fernet-token-after-default', 'uses-sha256-for-hashing-tokens', 'validate-file-ownership', 'validate-file-permissions', ] logging.info('Running `security-checklist` action' ' on Keystone leader unit') test_utils.audit_assertions( zaza.model.run_action_on_leader( 'keystone', 'security-checklist', action_params={}), expected_passes, expected_failures, expected_to_pass=True)
def test_security_checklist(self): """Verify expected state with security-checklist.""" tls_checks = [ 'validate-uses-tls-for-keystone', ] expected_failures = [ 'validate-enables-tls', # LP: #1851610 ] expected_passes = [ 'validate-file-ownership', 'validate-file-permissions', 'validate-uses-keystone', ] if zaza.model.get_relation_id('neutron-api', 'vault', remote_interface_name='certificates'): expected_passes.extend(tls_checks) else: expected_failures.extend(tls_checks) for unit in zaza.model.get_units('neutron-api', model_name=self.model_name): logging.info('Running `security-checklist` action' ' on unit {}'.format(unit.entity_id)) test_utils.audit_assertions(zaza.model.run_action( unit.entity_id, 'security-checklist', model_name=self.model_name, action_params={}), expected_passes, expected_failures, expected_to_pass=False)
def test_osd_security_checklist(self): """Verify expected state with security-checklist.""" expected_failures = [] expected_passes = [ 'validate-file-ownership', 'validate-file-permissions', ] logging.info('Running `security-checklist` action' ' on Ceph OSD leader unit') test_utils.audit_assertions(zaza_model.run_action_on_leader( 'ceph-osd', 'security-checklist', action_params={}), expected_passes, expected_failures, expected_to_pass=True)
def test_security_checklist(self): """Verify expected state with security-checklist.""" expected_failures = [] expected_passes = [ 'validate-file-ownership', 'validate-file-permissions', ] expected_to_pass = True # override settings depending on application name so we can reuse # the class for multiple charms if self.application_name == 'neutron-api': tls_checks = [ 'validate-uses-tls-for-keystone', ] expected_failures = [ 'validate-enables-tls', # LP: #1851610 ] expected_passes.append('validate-uses-keystone') if zaza.model.get_relation_id( 'neutron-api', 'vault', remote_interface_name='certificates'): expected_passes.extend(tls_checks) else: expected_failures.extend(tls_checks) expected_to_pass = False for unit in zaza.model.get_units(self.application_name, model_name=self.model_name): logging.info('Running `security-checklist` action' ' on unit {}'.format(unit.entity_id)) test_utils.audit_assertions( zaza.model.run_action( unit.entity_id, 'security-checklist', model_name=self.model_name, action_params={}), expected_passes, expected_failures, expected_to_pass=expected_to_pass)