def basic_setup(cacert=None, unseal_and_authorize=False): """Run basic setup for vault tests. :param cacert: Path to CA cert used for vaults api cert. :type cacert: str :param unseal_and_authorize: Whether to unseal and authorize vault. :type unseal_and_authorize: bool """ clients = vault_utils.get_clients(cacert=cacert) vip_client = vault_utils.get_vip_client(cacert=cacert) if vip_client: unseal_client = vip_client else: unseal_client = clients[0] initialized = vault_utils.is_initialized(unseal_client) # The credentials are written to a file to allow the tests to be re-run # this is mainly useful for manually working on the tests. if initialized: vault_creds = vault_utils.get_credentails() else: vault_creds = vault_utils.init_vault(unseal_client) vault_utils.store_credentails(vault_creds) # For use by charms or bundles other than vault if unseal_and_authorize: vault_utils.unseal_all(clients, vault_creds['keys'][0]) vault_utils.auth_all(clients, vault_creds['root_token']) vault_utils.run_charm_authorize(vault_creds['root_token'])
def test_unseal(self, test_config=None): """Unseal Vault. :param test_config: (Optional) Zaza test config :type test_config: charm_lifecycle.utils.get_charm_config() """ vault_utils.run_charm_authorize(self.vault_creds['root_token']) if not test_config: test_config = lifecycle_utils.get_charm_config() del test_config['target_deploy_status']['vault'] zaza.model.wait_for_application_states( states=test_config.get('target_deploy_status', {}))
def test_vault_authorize_charm_action(self): """Test the authorize_charm action.""" vault_actions = zaza.model.get_actions('vault') if 'authorize-charm' not in vault_actions: raise unittest.SkipTest('Action not defined') action = vault_utils.run_charm_authorize( self.vault_creds['root_token']) self.assertEqual(action.status, 'completed') client = self.clients[0] self.assertIn('local-charm-policy', client.hvac_client.list_policies())
def test_csr(self): """Test generating a csr and uploading a signed certificate.""" vault_actions = zaza.model.get_actions('vault') if 'get-csr' not in vault_actions: raise unittest.SkipTest('Action not defined') try: zaza.model.get_application('keystone') except KeyError: raise unittest.SkipTest('No client to test csr') action = vault_utils.run_charm_authorize( self.vault_creds['root_token']) action = vault_utils.run_get_csr() intermediate_csr = action.data['results']['output'] (cakey, cacert) = zaza.openstack.utilities.cert.generate_cert( 'DivineAuthority', generate_ca=True) intermediate_cert = zaza.openstack.utilities.cert.sign_csr( intermediate_csr, cakey.decode(), cacert.decode(), generate_ca=True) action = vault_utils.run_upload_signed_csr( pem=intermediate_cert, root_ca=cacert, allowed_domains='openstack.local') test_config = lifecycle_utils.get_charm_config() del test_config['target_deploy_status']['vault'] zaza.model.block_until_file_has_contents( 'keystone', zaza.openstack.utilities.openstack.KEYSTONE_REMOTE_CACERT, cacert.decode().strip()) zaza.model.wait_for_application_states( states=test_config.get('target_deploy_status', {})) ip = zaza.model.get_app_ips('keystone')[0] with tempfile.NamedTemporaryFile(mode='w') as fp: fp.write(cacert.decode()) fp.flush() requests.get('https://{}:5000'.format(ip), verify=fp.name)
def test_csr(self): """Test generating a csr and uploading a signed certificate.""" vault_actions = zaza.model.get_actions('vault') if 'get-csr' not in vault_actions: raise unittest.SkipTest('Action not defined') try: zaza.model.get_application('keystone') except KeyError: raise unittest.SkipTest('No client to test csr') action = vault_utils.run_charm_authorize( self.vault_creds['root_token']) action = vault_utils.run_get_csr() intermediate_csr = action.data['results']['output'] (cakey, cacert) = zaza.openstack.utilities.cert.generate_cert( 'DivineAuthority', generate_ca=True) intermediate_cert = zaza.openstack.utilities.cert.sign_csr( intermediate_csr, cakey.decode(), cacert.decode(), generate_ca=True) action = vault_utils.run_upload_signed_csr( pem=intermediate_cert, root_ca=cacert, allowed_domains='openstack.local') test_config = lifecycle_utils.get_charm_config() try: del test_config['target_deploy_status']['vault'] except KeyError: # Already removed pass zaza.model.wait_for_application_states( states=test_config.get('target_deploy_status', {})) vault_utils.validate_ca(cacert)
'coordinator-memcached', 'memcached:cache') wl_statuses['designate'] = { 'workload-status-message': """'coordinator-memcached' missing""", 'workload-status': 'blocked'} logging.info("Waiting for statuses with exceptions ...") model.wait_for_application_states( states=wl_statuses) certificate_directory = mojo_utils.get_local_certificate_directory() certfile = mojo_utils.get_overcloud_cacert_file() logging.info("Vault setup basic ...") vault_setup.basic_setup(cacert=certfile) clients = vault_utils.get_clients(cacert=certfile) vault_creds = vault_utils.get_credentails() vault_utils.unseal_all(clients, vault_creds['keys'][0]) action = vault_utils.run_charm_authorize( vault_creds['root_token']) action = vault_utils.run_get_csr() intermediate_csr = action.data['results']['output'] with open(os.path.join(certificate_directory, 'ca.key'), 'rb') as f: cakey = f.read() with open(os.path.join(certificate_directory, 'cacert.pem'), 'rb') as f: cacert = f.read() intermediate_cert = zaza.openstack.utilities.cert.sign_csr( intermediate_csr, cakey.decode(), cacert.decode(), generate_ca=True) action = vault_utils.run_upload_signed_csr( pem=intermediate_cert, root_ca=cacert, allowed_domains='openstack.local')