def test_update_encryption_key_id(self, mock_barbican_client): vol = self.create_volume() snap_ids = [fake.SNAPSHOT_ID, fake.SNAPSHOT2_ID, fake.SNAPSHOT3_ID] for snap_id in snap_ids: tests_utils.create_snapshot(self.context, vol.id, id=snap_id) # Barbican's secret.store() returns a URI that contains the # secret's key ID at the end. secret_ref = 'http://some/path/' + fake.ENCRYPTION_KEY_ID mock_secret = mock.MagicMock() mock_secret.store.return_value = secret_ref mock_barbican_client.return_value.secrets.create.return_value \ = mock_secret migration.migrate_fixed_key(self.my_vols, conf=self.conf) vol_db = db.volume_get(self.context, vol.id) self.assertEqual(fake.ENCRYPTION_KEY_ID, vol_db['encryption_key_id']) for snap_id in snap_ids: snap_db = db.snapshot_get(self.context, snap_id) self.assertEqual(fake.ENCRYPTION_KEY_ID, snap_db['encryption_key_id'])
def test_fail_no_barbican_client(self, mock_barbican_client, mock_migrate_volume_key): self.create_volume() mock_barbican_client.side_effect = Exception migration.migrate_fixed_key(self.my_vols, conf=self.conf) mock_migrate_volume_key.assert_not_called()
def test_fixed_key_migration(self, mock_barbican_client, mock_update_encryption_key_id): # Create two volumes with fixed key ID that needs to be migrated, and # a couple of volumes with key IDs that don't need to be migrated, # or no key ID. vol_1 = self.create_volume() self.create_volume(key_id=fake.UUID1) self.create_volume(key_id=None) vol_2 = self.create_volume() self.create_volume(key_id=fake.UUID2) # Create a few backups self.create_backup(key_id=None) self.create_backup(key_id=fake.UUID3) bak_1 = self.create_backup() self.create_backup(key_id=fake.UUID4) bak_2 = self.create_backup() migration.migrate_fixed_key(self.my_vols, self.my_baks, conf=self.conf) calls = [mock.call(vol_1), mock.call(vol_2), mock.call(bak_1), mock.call(bak_2)] mock_update_encryption_key_id.assert_has_calls(calls, any_order=True) self.assertEqual(mock_update_encryption_key_id.call_count, len(calls))
def test_update_backup_encryption_key_id(self, mock_barbican_client, mock_get_barbican_key_id): bak = self.create_backup() mock_get_barbican_key_id.return_value = fake.ENCRYPTION_KEY_ID migration.migrate_fixed_key(self.my_vols, self.my_baks, conf=self.conf) bak_db = db.backup_get(self.context, bak.id) self.assertEqual(fake.ENCRYPTION_KEY_ID, bak_db['encryption_key_id'])
def test_fixed_key_migration(self, mock_barbican_client, mock_update_encryption_key_id): # Create two volumes with fixed key ID that needs to be migrated, and # a couple of volumes with key IDs that don't need to be migrated, # or no key ID. vol_1 = self.create_volume() self.create_volume(key_id=fake.UUID1) self.create_volume(key_id=None) vol_2 = self.create_volume() self.create_volume(key_id=fake.UUID2) # Create a few backups self.create_backup(key_id=None) self.create_backup(key_id=fake.UUID3) bak_1 = self.create_backup() self.create_backup(key_id=fake.UUID4) bak_2 = self.create_backup() migration.migrate_fixed_key(self.my_vols, self.my_baks, conf=self.conf) calls = [ mock.call(vol_1), mock.call(vol_2), mock.call(bak_1), mock.call(bak_2) ] mock_update_encryption_key_id.assert_has_calls(calls, any_order=True) self.assertEqual(mock_update_encryption_key_id.call_count, len(calls))
def test_no_fixed_key(self, mock_log_migration_status, mock_migrate_keys): self.create_volume() self.conf.set_override('fixed_key', None, group='key_manager') migration.migrate_fixed_key(self.my_vols, conf=self.conf) mock_migrate_keys.assert_not_called() mock_log_migration_status.assert_not_called()
def test_migration_status_all_done(self, mock_migrate_keys): mock_log = self.mock_object(migration, 'LOG') self.create_volume(key_id=fake.ENCRYPTION_KEY_ID) migration.migrate_fixed_key(self.my_vols, conf=self.conf) # Look for one info (all done) and no warning log messages. mock_log.warning.assert_not_called() self.assertEqual(mock_log.info.call_count, 1)
def test_fail_too_many_errors(self, mock_barbican_client, mock_migrate_volume_key): for n in range(0, (migration.MAX_KEY_MIGRATION_ERRORS + 3)): self.create_volume() mock_migrate_volume_key.side_effect = Exception migration.migrate_fixed_key(self.my_vols, conf=self.conf) self.assertEqual(mock_migrate_volume_key.call_count, (migration.MAX_KEY_MIGRATION_ERRORS + 1))
def test_migration_status_more_to_migrate(self, mock_migrate_keys): mock_log = self.mock_object(migration, 'LOG') self.create_volume() migration.migrate_fixed_key(self.my_vols, conf=self.conf) # Look for one warning (more to migrate) and no info log messages. mock_log.info.assert_not_called() self.assertEqual(mock_log.warning.call_count, 1)
def test_using_unsupported_key_manager(self, mock_log_migration_status, mock_migrate_keys): self.create_volume() self.conf.set_override('backend', 'some.OtherKeyManager', group='key_manager') migration.migrate_fixed_key(self.my_vols, self.my_baks, conf=self.conf) mock_migrate_keys.assert_not_called() mock_log_migration_status.assert_called_once_with()
def test_migration_status_more_to_migrate(self, mock_migrate_keys): mock_log = self.mock_object(migration, 'LOG') self.create_volume() migration.migrate_fixed_key(self.my_vols, self.my_baks, conf=self.conf) # Look for one warning (more volumes to migrate) and one info (no # backups to migrate) log messages. self.assertEqual(mock_log.warning.call_count, 1) self.assertEqual(mock_log.info.call_count, 1)
def test_using_conf_key_manager(self, mock_log_migration_status, mock_migrate_keys): self.create_volume() self.conf.set_override('backend', 'some.ConfKeyManager', group='key_manager') migration.migrate_fixed_key(self.my_vols, conf=self.conf) mock_migrate_keys.assert_not_called() mock_log_migration_status.assert_not_called()
def test_using_barbican_module_path(self, mock_log_migration_status, mock_migrate_keys): # Verify the long-hand method of specifying the Barbican backend # is properly parsed. self.create_volume() self.conf.set_override( 'backend', 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager', group='key_manager') migration.migrate_fixed_key(self.my_vols, conf=self.conf) mock_migrate_keys.assert_called_once_with(self.my_vols) mock_log_migration_status.assert_called_once_with()
def test_update_volume_encryption_key_id(self, mock_barbican_client, mock_get_barbican_key_id): vol = self.create_volume() snap_ids = [fake.SNAPSHOT_ID, fake.SNAPSHOT2_ID, fake.SNAPSHOT3_ID] for snap_id in snap_ids: tests_utils.create_snapshot(self.context, vol.id, id=snap_id) mock_get_barbican_key_id.return_value = fake.ENCRYPTION_KEY_ID migration.migrate_fixed_key(self.my_vols, self.my_baks, conf=self.conf) vol_db = db.volume_get(self.context, vol.id) self.assertEqual(fake.ENCRYPTION_KEY_ID, vol_db['encryption_key_id']) for snap_id in snap_ids: snap_db = db.snapshot_get(self.context, snap_id) self.assertEqual(fake.ENCRYPTION_KEY_ID, snap_db['encryption_key_id'])
def test_get_barbican_key_id(self, mock_barbican_client): vol = self.create_volume() # Barbican's secret.store() returns a URI that contains the # secret's key ID at the end. secret_ref = 'http://some/path/' + fake.ENCRYPTION_KEY_ID mock_secret = mock.MagicMock() mock_secret.store.return_value = secret_ref mock_barbican_client.return_value.secrets.create.return_value \ = mock_secret migration.migrate_fixed_key(self.my_vols, self.my_baks, conf=self.conf) mock_acls_create = mock_barbican_client.return_value.acls.create mock_acls_create.assert_called_once_with(entity_ref=secret_ref, users=[fake.USER_ID]) mock_acls_create.return_value.submit.assert_called_once_with() vol_db = db.volume_get(self.context, vol.id) self.assertEqual(fake.ENCRYPTION_KEY_ID, vol_db['encryption_key_id'])
def test_no_volumes(self, mock_log_migration_status, mock_migrate_keys): migration.migrate_fixed_key(self.my_vols, conf=self.conf) mock_migrate_keys.assert_not_called() mock_log_migration_status.assert_called_once_with()