From 83e5dc798c6a1b3114b8526d7a3cc1a5aa8eb618 Mon Sep 17 00:00:00 2001 From: Garrett Thompson Date: Tue, 9 Feb 2021 19:47:40 -0800 Subject: [PATCH 1/4] Refactor security checklist test to another class This will allow security checks to be logically separate from other functional tests, and adhere to a similar design pattern that is used in other charm tests (see nova [0]) for an example. It will also highight which security checks are currently passing, and which are not. [0] https://github.com/openstack-charmers/zaza-openstack-tests/blob/35840a66d6788dc4899847747ee7523895f46e1b/zaza/openstack/charm_tests/nova/tests.py#L485-L529 Partial-Bug: #1883196 --- .../charm_tests/openstack_dashboard/tests.py | 53 +++++++++++++++---- 1 file changed, 42 insertions(+), 11 deletions(-) diff --git a/zaza/openstack/charm_tests/openstack_dashboard/tests.py b/zaza/openstack/charm_tests/openstack_dashboard/tests.py index 9588c6f..5944964 100644 --- a/zaza/openstack/charm_tests/openstack_dashboard/tests.py +++ b/zaza/openstack/charm_tests/openstack_dashboard/tests.py @@ -407,17 +407,6 @@ class OpenStackDashboardTests(test_utils.OpenStackBaseTest, self.assertEqual(e.code, 404, msg) logging.info('OK') - def test_501_security_checklist_action(self): - """Verify expected result on a default install. - - Ported from amulet tests. - """ - logging.info("Testing security-checklist") - unit_name = zaza_model.get_lead_unit_name('openstack-dashboard') - action = zaza_model.run_action(unit_name, 'security-checklist') - assert action.data.get(u"status") == "failed", \ - "Security check is expected to not pass by default" - def test_900_restart_on_config_change(self): """Verify that the specified services are restarted on config changed. @@ -520,3 +509,45 @@ class OpenStackDashboardPolicydTests(policyd.BasePolicydSpecialization, result = client.get(_url) if result.status_code == 403: raise policyd.PolicydOperationFailedException("Not authenticated") + + +class SecurityTests(test_utils.OpenStackBaseTest, + OpenStackDashboardBase): + """Openstack-dashboard security tests.""" + + @classmethod + def setUpClass(cls): + """Run class setup for running openstack-dashboard SecurityTests.""" + super(SecurityTests, cls).setUpClass() + + def test_security_checklist(self): + """Verify expected state with security checklist.""" + logging.info("Testing security checklist.") + + expected_failures = [ + 'csrf_cookie_set', + 'disable_password_reveal', + 'disallow-iframe-embed', + 'password-validator-is-not-default', + 'securie_proxy_ssl_header_is_set', + 'session_cookie-httponly', + 'session-cookie-store', + ] + expected_passes = [ + 'disable_password_autocomplete', + 'enforce-password-check', + 'validate-file-ownership', + 'validate-file-permissions' + ] + + logging.info('Running `security-checklist` action' + ' on {} leader'.format(self.application_name)) + test_utils.audit_assertions( + zaza_model.run_action_on_leader( + self.application_name, + 'security-checklist', + model_name=self.model_name, + action_params={}), + expected_passes, + expected_failures, + expected_to_pass=False) From 5b9db73fc7c63979741a52fabff449499a477132 Mon Sep 17 00:00:00 2001 From: Garrett Thompson Date: Wed, 10 Feb 2021 06:40:09 -0800 Subject: [PATCH 2/4] Fix indentation for pep8 --- zaza/openstack/charm_tests/openstack_dashboard/tests.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zaza/openstack/charm_tests/openstack_dashboard/tests.py b/zaza/openstack/charm_tests/openstack_dashboard/tests.py index 5944964..5cd341c 100644 --- a/zaza/openstack/charm_tests/openstack_dashboard/tests.py +++ b/zaza/openstack/charm_tests/openstack_dashboard/tests.py @@ -512,7 +512,7 @@ class OpenStackDashboardPolicydTests(policyd.BasePolicydSpecialization, class SecurityTests(test_utils.OpenStackBaseTest, - OpenStackDashboardBase): + OpenStackDashboardBase): """Openstack-dashboard security tests.""" @classmethod @@ -541,9 +541,9 @@ class SecurityTests(test_utils.OpenStackBaseTest, ] logging.info('Running `security-checklist` action' - ' on {} leader'.format(self.application_name)) + ' on {} leader'.format(self.application_name)) test_utils.audit_assertions( - zaza_model.run_action_on_leader( + zaza_model.run_action_on_leader( self.application_name, 'security-checklist', model_name=self.model_name, From 1210e0c47e9dc18edca047a2c784ad9409c35589 Mon Sep 17 00:00:00 2001 From: Garrett Thompson Date: Wed, 10 Feb 2021 18:42:32 -0800 Subject: [PATCH 3/4] Skip security_checklist test for xenial_mitaka See bug 1915293 [0] for more details, but this test is already skipped in the repo's current state, this is just making it more explicit as part of the current refactor. [0] https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1915293 --- zaza/openstack/charm_tests/openstack_dashboard/tests.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/zaza/openstack/charm_tests/openstack_dashboard/tests.py b/zaza/openstack/charm_tests/openstack_dashboard/tests.py index 5cd341c..36e7175 100644 --- a/zaza/openstack/charm_tests/openstack_dashboard/tests.py +++ b/zaza/openstack/charm_tests/openstack_dashboard/tests.py @@ -535,10 +535,15 @@ class SecurityTests(test_utils.OpenStackBaseTest, ] expected_passes = [ 'disable_password_autocomplete', - 'enforce-password-check', 'validate-file-ownership', 'validate-file-permissions' ] + if (openstack_utils.get_os_release() <= + openstack_utils.get_os_release('xenial_mitaka')): + logging.info("Test expected to fail until bug #1915293 is fixed") + expected_failures.append('enforce-password-check') + else: + expected_passes.append('enforce-password-check') logging.info('Running `security-checklist` action' ' on {} leader'.format(self.application_name)) From ce4fe120219a3d23e9a4d917d37df33bee7f6433 Mon Sep 17 00:00:00 2001 From: Garrett Thompson Date: Thu, 11 Feb 2021 12:43:04 -0800 Subject: [PATCH 4/4] Revert "Skip security_checklist test for xenial_mitaka" This reverts commit 1210e0c47e9dc18edca047a2c784ad9409c35589. Rather than using an if statement for gating xenial_mitaka and earlier, test cases can be customized in tests/tests.yaml for individual bundles. This will be handled in review 774305. [0] https://review.opendev.org/c/openstack/charm-openstack-dashboard/+/774305 --- zaza/openstack/charm_tests/openstack_dashboard/tests.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/zaza/openstack/charm_tests/openstack_dashboard/tests.py b/zaza/openstack/charm_tests/openstack_dashboard/tests.py index 36e7175..5cd341c 100644 --- a/zaza/openstack/charm_tests/openstack_dashboard/tests.py +++ b/zaza/openstack/charm_tests/openstack_dashboard/tests.py @@ -535,15 +535,10 @@ class SecurityTests(test_utils.OpenStackBaseTest, ] expected_passes = [ 'disable_password_autocomplete', + 'enforce-password-check', 'validate-file-ownership', 'validate-file-permissions' ] - if (openstack_utils.get_os_release() <= - openstack_utils.get_os_release('xenial_mitaka')): - logging.info("Test expected to fail until bug #1915293 is fixed") - expected_failures.append('enforce-password-check') - else: - expected_passes.append('enforce-password-check') logging.info('Running `security-checklist` action' ' on {} leader'.format(self.application_name))