def _revert(): LOG.fixture_step("Revert central https config to {}.".format(origin_https_central)) security_helper.modify_https(enable_https=origin_https_central, auth_info=central_auth) LOG.fixture_step("Revert subcloud https config to {}.".format(origin_https_sub)) security_helper.modify_https(enable_https=origin_https_central, auth_info=sub_auth) LOG.fixture_step("Verify cli's on subcloud and central region.".format(origin_https_sub)) verify_cli(sub_auth, central_auth)
def _test_modify_https(https_config): """ Test enable/disable https Test Steps: - Enable/Disable https via system modify - Ensure config-out-of-date alarm is cleared - Ensure openstack endpint list updated - Repeat above steps for disable/enable """ is_https = https_config configs = (False, True) if is_https else (True, False) for config in configs: LOG.tc_step("{} https on system".format('Enable' if config else 'Disable')) security_helper.modify_https(enable_https=config)
def test_dc_modify_https(revert_https): """ Test enable/disable https Test Steps: - Ensure central region https to be different than subcloud - Wait for subcloud sync audit and ensure subcloud https is not changed - Verify cli's in subcloud and central region - Modify https on central and subcloud - Verify cli's in subcloud and central region Teardown: - Revert https config on central and subcloud """ origin_https_sub, origin_https_central, central_auth, sub_auth = revert_https subcloud = ProjVar.get_var('PRIMARY_SUBCLOUD') new_https_sub = not origin_https_sub new_https_central = not origin_https_central LOG.tc_step( "Ensure central region https to be different than {}".format(subcloud)) security_helper.modify_https(enable_https=new_https_sub, auth_info=central_auth) LOG.tc_step( "Wait for subcloud sync audit and ensure {} https is not changed". format(subcloud)) dc_helper.wait_for_sync_audit(subclouds=subcloud) assert origin_https_sub == keystone_helper.is_https_enabled( auth_info=sub_auth), "HTTPS config changed in subcloud" LOG.tc_step("Verify cli's in {} and central region".format(subcloud)) verify_cli(sub_auth, central_auth) if new_https_central != new_https_sub: LOG.tc_step("Set central region https to {}".format(new_https_central)) security_helper.modify_https(enable_https=new_https_central, auth_info=central_auth) LOG.tc_step("Set {} https to {}".format(subcloud, new_https_sub)) security_helper.modify_https(enable_https=new_https_sub, auth_info=sub_auth) LOG.tc_step( "Verify cli's in {} and central region after https modify on subcloud". format(subcloud)) verify_cli(sub_auth, central_auth)
def test_dc_modify_https(revert_https): """ Test enable/disable https Test Steps: - Ensure central region and subcloud admin endpoint are https - Ensure central region https to be different than subcloud - Wait for subcloud sync audit and ensure subcloud https is not changed - Verify cli's in subcloud and central region - Modify https on central and subcloud - Verify cli's in subcloud and central region - swact central and subcloud - Ensure central region and subcloud admin endpoint are https Teardown: - Revert https config on central and subcloud """ origin_https_sub, origin_https_central, central_auth, sub_auth, use_dnsname = revert_https subcloud = ProjVar.get_var('PRIMARY_SUBCLOUD') LOG.tc_step( "Before testing, Ensure central region and subcloud admin internal endpoint are https") assert keystone_helper.is_https_enabled(interface='admin', auth_info=central_auth), \ "Central region admin internal endpoint is not https" assert keystone_helper.is_https_enabled(interface='admin', auth_info=sub_auth), \ "Subcloud admin internal endpoint is not https" new_https_sub = not origin_https_sub new_https_central = not origin_https_central LOG.tc_step("Ensure central region https to be different than {}".format(subcloud)) security_helper.modify_https(enable_https=new_https_sub, auth_info=central_auth) LOG.tc_step('Check public endpoints accessibility for central region') security_helper.check_services_access(region='RegionOne', auth_info=central_auth, use_dnsname=use_dnsname) LOG.tc_step('Check platform horizon accessibility') security_helper.check_platform_horizon_access(use_dnsname=use_dnsname) LOG.tc_step("Wait for subcloud sync audit with best effort and ensure {} https is not " "changed".format(subcloud)) dc_helper.wait_for_sync_audit(subclouds=subcloud, fail_ok=True, timeout=660) assert origin_https_sub == keystone_helper.is_https_enabled(auth_info=sub_auth), \ "HTTPS config changed in subcloud" LOG.tc_step("Verify cli's in {} and central region".format(subcloud)) verify_cli(sub_auth, central_auth) if new_https_central != new_https_sub: LOG.tc_step("Set central region https to {}".format(new_https_central)) security_helper.modify_https(enable_https=new_https_central, auth_info=central_auth) LOG.tc_step("Ensure central region and subcloud admin internal endpoint are still https") assert keystone_helper.is_https_enabled(interface='admin', auth_info=central_auth), \ "Central region admin internal endpoint is not https" assert keystone_helper.is_https_enabled(interface='admin', auth_info=sub_auth), \ "Subcloud admin internal endpoint is not https" LOG.tc_step('Check public endpoints accessibility for central region') security_helper.check_services_access(region='RegionOne', auth_info=central_auth, use_dnsname=use_dnsname) LOG.tc_step('Check platform horizon accessibility') security_helper.check_platform_horizon_access(use_dnsname=use_dnsname) LOG.tc_step("Set {} https to {}".format(subcloud, new_https_sub)) security_helper.modify_https(enable_https=new_https_sub, auth_info=sub_auth) LOG.tc_step('Check public endpoints accessibility for {} region'.format(subcloud)) security_helper.check_services_access(region=subcloud, auth_info=sub_auth, use_dnsname=use_dnsname) LOG.tc_step("Ensure central region and subcloud admin internal endpoint are still https") assert keystone_helper.is_https_enabled(interface='admin', auth_info=central_auth), \ "Central region admin internal endpoint is not https" assert keystone_helper.is_https_enabled(interface='admin', auth_info=sub_auth), \ "Subcloud admin internal endpoint is not https" LOG.tc_step("Verify cli's in {} and central region after https modify on " "subcloud".format(subcloud)) verify_cli(sub_auth, central_auth) LOG.tc_step("Swact on central region") host_helper.swact_host(auth_info=central_auth) LOG.tc_step( "Verify cli's in {} and central region after central region swact" .format(subcloud)) verify_cli(sub_auth, central_auth) if not system_helper.is_aio_simplex(auth_info=sub_auth): LOG.tc_step("Swact on subcloud {}".format(subcloud)) host_helper.swact_host(auth_info=sub_auth) LOG.tc_step("Verify cli's in {} and central region after subcloud swact".format(subcloud)) verify_cli(sub_auth, central_auth) LOG.tc_step("Ensure after swact, central region and subcloud admin internal endpoint are https") assert keystone_helper.is_https_enabled(interface='admin', auth_info=central_auth), \ "Central region admin internal endpoint is not https" assert keystone_helper.is_https_enabled(interface='admin', auth_info=sub_auth), \ "Subcloud admin internal endpoint is not https"
def _revert(): if not is_https: LOG.fixture_step("Revert system to https {}.".format('enabled' if is_https else 'disabled')) security_helper.modify_https(enable_https=is_https)