From 5927878a0383fce4d6ff4f107d7aa5c3d5cfa1e8 Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Tue, 4 Feb 2020 10:10:50 +0000
Subject: [PATCH] Tidyup mojo cert unseal

---
 .../charm_tests/series_upgrade/tests.py       | 10 ++++---
 zaza/openstack/charm_tests/vault/setup.py     | 28 ++++++++-----------
 zaza/openstack/charm_tests/vault/utils.py     |  4 ---
 zaza/openstack/utilities/exceptions.py        |  6 ++++
 zaza/openstack/utilities/generic.py           | 19 +++++++++++++
 5 files changed, 43 insertions(+), 24 deletions(-)

diff --git a/zaza/openstack/charm_tests/series_upgrade/tests.py b/zaza/openstack/charm_tests/series_upgrade/tests.py
index ab82b0d..bd49c8a 100644
--- a/zaza/openstack/charm_tests/series_upgrade/tests.py
+++ b/zaza/openstack/charm_tests/series_upgrade/tests.py
@@ -83,12 +83,14 @@ class SeriesUpgradeTest(unittest.TestCase):
                 pause_non_leader_primary = False
                 pause_non_leader_subordinate = False
             if "vault" in applications[application]["charm"]:
+                origin = None
+                pause_non_leader_primary = False
+                pause_non_leader_subordinate = True
                 post_upgrade_functions = [
                     ('zaza.openstack.charm_tests.vault.setup.'
-                     'basic_unseal_mojo_cacert')]
-            if ("mongodb" in applications[application]["charm"] or
-                    "vault" in applications[application]["charm"]):
-                # Mongodb and vault need to run series upgrade
+                     'mojo_unseal_by_unit')]
+            if "mongodb" in applications[application]["charm"]:
+                # Mongodb needs to run series upgrade
                 # on its secondaries first.
                 generic_utils.series_upgrade_non_leaders_first(
                     application,
diff --git a/zaza/openstack/charm_tests/vault/setup.py b/zaza/openstack/charm_tests/vault/setup.py
index 6942393..9ea409d 100644
--- a/zaza/openstack/charm_tests/vault/setup.py
+++ b/zaza/openstack/charm_tests/vault/setup.py
@@ -15,7 +15,6 @@
 """Run configuration phase."""
 
 import functools
-import os
 import requests
 import tempfile
 
@@ -24,6 +23,7 @@ import zaza.openstack.charm_tests.vault.utils as vault_utils
 import zaza.model
 import zaza.openstack.utilities.cert
 import zaza.openstack.utilities.openstack
+import zaza.openstack.utilities.generic
 
 
 def basic_setup(cacert=None, unseal_and_authorize=False):
@@ -52,21 +52,17 @@ def basic_setup_and_unseal(cacert=None):
         zaza.model.run_on_unit(unit.name, './hooks/update-status')
 
 
-def basic_unseal_mojo_cacert():
-    """Unseal Vault and search for cacert to use.
-
-    This is designed to be used from a mojo spec where certs are stored in the
-    $MOJO_LOCAL directory.
-    """
-    try:
-        cert_dir = os.environ['MOJO_LOCAL_DIR']
-    except KeyError:
-        raise Exception("Could not find cacert.pem, MOJO_LOCAL unset")
-    cacert = os.path.join(cert_dir, 'cacert.pem')
-    if os.path.exists(cacert):
-        basic_setup_and_unseal(cacert=cacert)
-    else:
-        raise Exception("Could not find cacert.pem")
+def mojo_unseal_by_unit():
+    """Unseal any units reported as sealed using mojo cacert."""
+    cacert = zaza.openstack.utilities.generic.get_mojo_cacert()
+    vault_creds = vault_utils.get_credentails()
+    for client in vault_utils.get_clients(cacert=cacert):
+        if client.hvac_client.is_sealed():
+            client.hvac_client.unseal(vault_creds['keys'][0])
+            unit_name = zaza.utilities.juju.get_unit_name_from_ip_address(
+                client.addr,
+                'vault')
+            zaza.model.run_on_unit(unit_name, './hooks/update-status')
 
 
 def auto_initialize(cacert=None, validation_application='keystone'):
diff --git a/zaza/openstack/charm_tests/vault/utils.py b/zaza/openstack/charm_tests/vault/utils.py
index c0ac82e..b6f4cf5 100644
--- a/zaza/openstack/charm_tests/vault/utils.py
+++ b/zaza/openstack/charm_tests/vault/utils.py
@@ -55,10 +55,6 @@ class VaultFacade:
         self.vip_client = get_vip_client(cacert=cacert)
         if self.vip_client:
             self.unseal_client = self.vip_client
-            try:
-                self.unseal_client.hvac_client.is_initialized()
-            except requests.exceptions.ConnectionError:
-                self.unseal_client = self.clients[0]
         else:
             self.unseal_client = self.clients[0]
         self.initialized = is_initialized(self.unseal_client)
diff --git a/zaza/openstack/utilities/exceptions.py b/zaza/openstack/utilities/exceptions.py
index f59b4c1..e9e5d23 100644
--- a/zaza/openstack/utilities/exceptions.py
+++ b/zaza/openstack/utilities/exceptions.py
@@ -184,3 +184,9 @@ class PolicydError(Exception):
     """Policyd override failed."""
 
     pass
+
+
+class CACERTNotFound(Exception):
+    """Could not find cacert."""
+
+    pass
diff --git a/zaza/openstack/utilities/generic.py b/zaza/openstack/utilities/generic.py
index 7b673d0..c3a7afb 100644
--- a/zaza/openstack/utilities/generic.py
+++ b/zaza/openstack/utilities/generic.py
@@ -850,3 +850,22 @@ def systemctl(unit, service, command="restart"):
         unit.entity_id, cmd)
     assert int(result['Code']) == 0, (
         "{} of {} on {} failed".format(command, service, unit.entity_id))
+
+
+def get_mojo_cacert():
+    """Retrieve cacert from Mojo storage location.
+
+    :returns: Pathh to cacert
+    :rtype: str
+    :raises: zaza_exceptions.CACERTNotFound
+    """
+    try:
+        cert_dir = os.environ['MOJO_LOCAL_DIR']
+    except KeyError:
+        raise zaza_exceptions.CACERTNotFound(
+            "Could not find cacert.pem, MOJO_LOCAL_DIR unset")
+    cacert = os.path.join(cert_dir, 'cacert.pem')
+    if os.path.exists(cacert):
+        return cacert
+    else:
+        raise zaza_exceptions.CACERTNotFound("Could not find cacert.pem")