From 602a078faa23f0b8415134c3824a255420c87481 Mon Sep 17 00:00:00 2001
From: Pedro Castillo <pedro.castillo@canonical.com>
Date: Mon, 14 Mar 2022 17:54:08 +0000
Subject: [PATCH] Add rotate-admin-password functional test

Add a functional test that verifies the rotate-admin-password action
in the keystone charm.

Relevant patch in the charm-keystone repo:
https://review.opendev.org/c/openstack/charm-keystone/+/832665
---
 zaza/openstack/charm_tests/keystone/tests.py | 41 ++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py
index 477152d..8fd06e3 100644
--- a/zaza/openstack/charm_tests/keystone/tests.py
+++ b/zaza/openstack/charm_tests/keystone/tests.py
@@ -150,6 +150,47 @@ class CharmOperationTest(BaseKeystoneTest):
                              .format(pprint.pformat(unit_repo),
                                      pprint.pformat(lead_repo)))
 
+    def test_rotate_admin_password(self):
+        """Verify action used to rotate admin user's password."""
+        ADMIN_PASSWD = 'admin_passwd'
+        old_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD)
+
+        # test access using the old password
+        with self.v3_keystone_preferred():
+            for ip in self.keystone_ips:
+                try:
+                    ks_session = openstack_utils.get_keystone_session(
+                        openstack_utils.get_overcloud_auth(address=ip))
+                    ks_client = openstack_utils.get_keystone_session_client(
+                        ks_session)
+                    ks_client.users.list()
+                except keystoneauth1.exceptions.http.Forbidden:
+                    raise zaza_exceptions.KeystoneAuthorizationStrict(
+                        'Keystone auth with old password FAILED.')
+
+        # run the action to rotate the password
+        zaza.model.run_action_on_leader(
+            self.application_name,
+            'rotate-admin-password',
+        )
+
+        # test access using the new password
+        with self.v3_keystone_preferred():
+            for ip in self.keystone_ips:
+                try:
+                    ks_session = openstack_utils.get_keystone_session(
+                        openstack_utils.get_overcloud_auth(address=ip))
+                    ks_client = openstack_utils.get_keystone_session_client(
+                        ks_session)
+                    ks_client.users.list()
+                except keystoneauth1.exceptions.http.Forbidden:
+                    raise zaza_exceptions.KeystoneAuthorizationStrict(
+                        'Keystone auth with new password FAILED.')
+
+        # make sure the password was actually changed
+        new_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD)
+        assert old_passwd != new_passwd
+
 
 class AuthenticationAuthorizationTest(BaseKeystoneTest):
     """Keystone authentication and authorization tests."""