From 58f2b88365ab919e0cfe18ba98d3b290bbf2d3bf Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Wed, 11 Jan 2023 15:19:40 +0000
Subject: [PATCH] Test get-csr with existing CA (#974)

Check that if an existing CA is present then get-csr requires the
force flag. Test using new action name regenerate-intermediate-ca
---
 zaza/openstack/charm_tests/vault/tests.py | 40 +++++++++++++++--------
 zaza/openstack/charm_tests/vault/utils.py |  8 +++--
 2 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/zaza/openstack/charm_tests/vault/tests.py b/zaza/openstack/charm_tests/vault/tests.py
index 99f3872..e952b75 100644
--- a/zaza/openstack/charm_tests/vault/tests.py
+++ b/zaza/openstack/charm_tests/vault/tests.py
@@ -152,20 +152,9 @@ class VaultTest(BaseVaultTest):
         """Run setup for Vault tests."""
         super(VaultTest, cls).setUpClass()
 
-    def test_csr(self):
-        """Test generating a csr and uploading a signed certificate."""
-        vault_actions = zaza.model.get_actions(
-            'vault')
-        if 'get-csr' not in vault_actions:
-            raise unittest.SkipTest('Action not defined')
-        try:
-            zaza.model.get_application(
-                'keystone')
-        except KeyError:
-            raise unittest.SkipTest('No client to test csr')
-        action = vault_utils.run_charm_authorize(
-            self.vault_creds['root_token'])
-        action = vault_utils.run_get_csr()
+    def update_intermediate_csr(self, force=False):
+        """Get a intermediate csr from vault, sign it and upload."""
+        action = vault_utils.run_get_csr(force=force)
 
         intermediate_csr = action.data['results']['output']
         (cakey, cacert) = zaza.openstack.utilities.cert.generate_cert(
@@ -192,6 +181,29 @@ class VaultTest(BaseVaultTest):
 
         vault_utils.validate_ca(cacert)
 
+    def test_csr(self):
+        """Test generating a csr and uploading a signed certificate."""
+        vault_actions = zaza.model.get_actions(
+            'vault')
+        if 'get-csr' not in vault_actions:
+            raise unittest.SkipTest('Action not defined')
+        try:
+            zaza.model.get_application(
+                'keystone')
+        except KeyError:
+            raise unittest.SkipTest('No client to test csr')
+        action = vault_utils.run_charm_authorize(
+            self.vault_creds['root_token'])
+        self.update_intermediate_csr()
+
+        # Now that a valid CA is present the get_csr action should require
+        # a force option.
+        logging.info("Re-issuing get-csr and checking it fails")
+        action = vault_utils.run_get_csr()
+        self.assertEqual(action.status, 'failed')
+        logging.info("Re-issuing get-csr with force=True")
+        self.update_intermediate_csr(force=True)
+
     def test_all_clients_authenticated(self):
         """Check all vault clients are authenticated."""
         for client in self.clients:
diff --git a/zaza/openstack/charm_tests/vault/utils.py b/zaza/openstack/charm_tests/vault/utils.py
index 72cbac4..3e752ea 100644
--- a/zaza/openstack/charm_tests/vault/utils.py
+++ b/zaza/openstack/charm_tests/vault/utils.py
@@ -474,18 +474,20 @@ def run_charm_authorize(token):
         action_params={'token': token})
 
 
-def run_get_csr():
+def run_get_csr(force=False):
     """Retrieve CSR from vault.
 
     Run vault charm action to retrieve CSR from vault.
 
+    :param force: Whether to force the request even if valid CA is present.
+    :type force: bool
     :returns: Action object
     :rtype: juju.action.Action
     """
     return zaza.model.run_action_on_leader(
         'vault',
-        'get-csr',
-        action_params={})
+        'regenerate-intermediate-ca',
+        action_params={'force': force})
 
 
 def run_upload_signed_csr(pem, root_ca, allowed_domains):