From 7e626bcf8606c9026df7f5cefde01e5c88808cef Mon Sep 17 00:00:00 2001 From: Alex Kavanagh Date: Tue, 21 Feb 2023 11:53:00 +0000 Subject: [PATCH 1/8] Test the keystone rotate-service-user-password action This test, added as part of the default keystone tests, tests that the service user password can be rotated for the glance application. --- zaza/openstack/charm_tests/keystone/tests.py | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py index 8fd06e3..502296d 100644 --- a/zaza/openstack/charm_tests/keystone/tests.py +++ b/zaza/openstack/charm_tests/keystone/tests.py @@ -191,6 +191,39 @@ class CharmOperationTest(BaseKeystoneTest): new_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD) assert old_passwd != new_passwd + def test_rotate_service_user_password(self): + """Verify action used to rotate a service user (glance) password.""" + GLANCE_PASSWD_KEY = "glance_passwd" + GLANCE_APP = "glance" + + # Only do the test if glance is in the model. + applications = juju_utils.sync_deployed(self.model_name) + if GLANCE_APP not in applications: + self.skipTest( + '{} is not deployed, so not doing password change' + .format(GLANCE_APP)) + # keep the old password to verify it is changed. + old_passwd = juju_utils.leader_get(GLANCE_APP, GLANCE_PASSWD_KEY) + + # verify that images can be listed. + glance_client = openstack_utils.get_glance_session_client(self.admin_keystone_session) + glance_client.images.list() + + # run the action to rotate the password. + zaza.model.run_action_on_leader( + self.application_name, + 'rotate-service-user-password', + action_params={'service-user': 'glance'}, + ) + + # verify that the password has changed + new_passwd = juju_utils.leader_get(GLANCE_APP, GLANCE_PASSWD_KEY) + self.assertNotEqual(old_passwd, new_passwd) + + # verify that the images can still be listed. + glance_client = openstack_utils.get_glance_session_client(self.admin_keystone_session) + glance_client.images.list() + class AuthenticationAuthorizationTest(BaseKeystoneTest): """Keystone authentication and authorization tests.""" From 59632ec6f9f0c3d7809c87efb35d2087bbad8322 Mon Sep 17 00:00:00 2001 From: Alex Kavanagh Date: Tue, 21 Feb 2023 12:01:14 +0000 Subject: [PATCH 2/8] Fix pep8 tests --- zaza/openstack/charm_tests/keystone/tests.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py index 502296d..2a8739c 100644 --- a/zaza/openstack/charm_tests/keystone/tests.py +++ b/zaza/openstack/charm_tests/keystone/tests.py @@ -206,7 +206,8 @@ class CharmOperationTest(BaseKeystoneTest): old_passwd = juju_utils.leader_get(GLANCE_APP, GLANCE_PASSWD_KEY) # verify that images can be listed. - glance_client = openstack_utils.get_glance_session_client(self.admin_keystone_session) + glance_client = openstack_utils.get_glance_session_client( + self.admin_keystone_session) glance_client.images.list() # run the action to rotate the password. @@ -221,7 +222,8 @@ class CharmOperationTest(BaseKeystoneTest): self.assertNotEqual(old_passwd, new_passwd) # verify that the images can still be listed. - glance_client = openstack_utils.get_glance_session_client(self.admin_keystone_session) + glance_client = openstack_utils.get_glance_session_client( + self.admin_keystone_session) glance_client.images.list() From 120a495f6ff640a00e029a305fe08649ce06d334 Mon Sep 17 00:00:00 2001 From: Alex Kavanagh Date: Tue, 21 Feb 2023 12:58:45 +0000 Subject: [PATCH 3/8] Switch sync_deployed to zaza.model --- zaza/openstack/charm_tests/keystone/tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py index 2a8739c..6f0f88c 100644 --- a/zaza/openstack/charm_tests/keystone/tests.py +++ b/zaza/openstack/charm_tests/keystone/tests.py @@ -197,7 +197,7 @@ class CharmOperationTest(BaseKeystoneTest): GLANCE_APP = "glance" # Only do the test if glance is in the model. - applications = juju_utils.sync_deployed(self.model_name) + applications = zaza.model.sync_deployed(self.model_name) if GLANCE_APP not in applications: self.skipTest( '{} is not deployed, so not doing password change' From 4f1b0fc09ff352b9dda48ce936403ddb0df705ae Mon Sep 17 00:00:00 2001 From: Alex Kavanagh Date: Tue, 21 Feb 2023 15:57:37 +0000 Subject: [PATCH 4/8] Get the password from keystone, not glance for leader-settings. --- zaza/openstack/charm_tests/keystone/tests.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py index 6f0f88c..7fbee37 100644 --- a/zaza/openstack/charm_tests/keystone/tests.py +++ b/zaza/openstack/charm_tests/keystone/tests.py @@ -203,7 +203,8 @@ class CharmOperationTest(BaseKeystoneTest): '{} is not deployed, so not doing password change' .format(GLANCE_APP)) # keep the old password to verify it is changed. - old_passwd = juju_utils.leader_get(GLANCE_APP, GLANCE_PASSWD_KEY) + old_passwd = juju_utils.leader_get( + self.application_name, GLANCE_PASSWD_KEY) # verify that images can be listed. glance_client = openstack_utils.get_glance_session_client( @@ -218,7 +219,8 @@ class CharmOperationTest(BaseKeystoneTest): ) # verify that the password has changed - new_passwd = juju_utils.leader_get(GLANCE_APP, GLANCE_PASSWD_KEY) + new_passwd = juju_utils.leader_get( + self.application_name, GLANCE_PASSWD_KEY) self.assertNotEqual(old_passwd, new_passwd) # verify that the images can still be listed. From 544d0d5a7cbf10cb864247eee97b4480141ec295 Mon Sep 17 00:00:00 2001 From: Alex Kavanagh Date: Tue, 21 Feb 2023 16:17:55 +0000 Subject: [PATCH 5/8] Ensure that the ondisk glance passwords change in the conf file --- zaza/openstack/charm_tests/keystone/tests.py | 21 +++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py index 7fbee37..e7c4faf 100644 --- a/zaza/openstack/charm_tests/keystone/tests.py +++ b/zaza/openstack/charm_tests/keystone/tests.py @@ -14,6 +14,7 @@ """Encapsulate keystone testing.""" import collections +import configparser import json import logging import pprint @@ -195,6 +196,13 @@ class CharmOperationTest(BaseKeystoneTest): """Verify action used to rotate a service user (glance) password.""" GLANCE_PASSWD_KEY = "glance_passwd" GLANCE_APP = "glance" + GLANCE_CONF_FILE = '/etc/glance/glance-api.conf' + + def _get_password_from_leader(): + conf = zaza.model.file_contents('glance/leader', GLANCE_CONF_FILE) + config = configparser.ConfigParser() + config.read(conf) + return config['image_format']['password'].strip() # Only do the test if glance is in the model. applications = zaza.model.sync_deployed(self.model_name) @@ -203,8 +211,9 @@ class CharmOperationTest(BaseKeystoneTest): '{} is not deployed, so not doing password change' .format(GLANCE_APP)) # keep the old password to verify it is changed. - old_passwd = juju_utils.leader_get( + old_passwd_leader_storage = juju_utils.leader_get( self.application_name, GLANCE_PASSWD_KEY) + old_passwd_conf = _get_password_from_leader() # verify that images can be listed. glance_client = openstack_utils.get_glance_session_client( @@ -219,9 +228,15 @@ class CharmOperationTest(BaseKeystoneTest): ) # verify that the password has changed - new_passwd = juju_utils.leader_get( + new_passwd_leader_storage = juju_utils.leader_get( self.application_name, GLANCE_PASSWD_KEY) - self.assertNotEqual(old_passwd, new_passwd) + new_passwd_conf = _get_password_from_leader() + self.assertNotEqual(old_passwd_leader_storage, + new_passwd_leader_storage) + self.assertNotEqual(old_passwd_conf, + new_passwd_conf) + self.assertEqual(new_passwd_leader_storage, new_passwd_conf) + # verify that the images can still be listed. glance_client = openstack_utils.get_glance_session_client( From 3bb64912e7e947565c8b8781122be52157e2e0b0 Mon Sep 17 00:00:00 2001 From: Alex Kavanagh Date: Tue, 21 Feb 2023 17:16:40 +0000 Subject: [PATCH 6/8] Another silly error - read from string rather that file. --- zaza/openstack/charm_tests/keystone/tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py index e7c4faf..b4c4124 100644 --- a/zaza/openstack/charm_tests/keystone/tests.py +++ b/zaza/openstack/charm_tests/keystone/tests.py @@ -201,7 +201,7 @@ class CharmOperationTest(BaseKeystoneTest): def _get_password_from_leader(): conf = zaza.model.file_contents('glance/leader', GLANCE_CONF_FILE) config = configparser.ConfigParser() - config.read(conf) + config.read_string(conf) return config['image_format']['password'].strip() # Only do the test if glance is in the model. From d19a5406410b072aee3903441b1d210ab0462ce4 Mon Sep 17 00:00:00 2001 From: Alex Kavanagh Date: Tue, 21 Feb 2023 18:38:00 +0000 Subject: [PATCH 7/8] Fix mistake in which section to use for password --- zaza/openstack/charm_tests/keystone/tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py index b4c4124..f12c382 100644 --- a/zaza/openstack/charm_tests/keystone/tests.py +++ b/zaza/openstack/charm_tests/keystone/tests.py @@ -202,7 +202,7 @@ class CharmOperationTest(BaseKeystoneTest): conf = zaza.model.file_contents('glance/leader', GLANCE_CONF_FILE) config = configparser.ConfigParser() config.read_string(conf) - return config['image_format']['password'].strip() + return config['keystone_authtoken']['password'].strip() # Only do the test if glance is in the model. applications = zaza.model.sync_deployed(self.model_name) From eb4224284f0d533ed26bd3bb73964cf6da0f57ff Mon Sep 17 00:00:00 2001 From: Alex Kavanagh Date: Wed, 22 Feb 2023 17:05:01 +0000 Subject: [PATCH 8/8] Fix pep8 error in .../keystone/tests.py --- zaza/openstack/charm_tests/keystone/tests.py | 1 - 1 file changed, 1 deletion(-) diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py index f12c382..49a2447 100644 --- a/zaza/openstack/charm_tests/keystone/tests.py +++ b/zaza/openstack/charm_tests/keystone/tests.py @@ -237,7 +237,6 @@ class CharmOperationTest(BaseKeystoneTest): new_passwd_conf) self.assertEqual(new_passwd_leader_storage, new_passwd_conf) - # verify that the images can still be listed. glance_client = openstack_utils.get_glance_session_client( self.admin_keystone_session)