summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJackie Truong <jacklyn.truong@jhuapl.edu>2017-04-10 18:03:27 -0400
committerKaitlin Farr <kaitlin.farr@jhuapl.edu>2017-07-20 13:38:46 +0000
commitab903f340b10446257ce33ab36151d8849f9792e (patch)
treea2ad466cb3994e2bc1acd23061c02dd5c264c53f
parentf2055253e95f240733ea12de1d93b6f8d3208765 (diff)
Add ephemeral disk encryption scenario test
Adds ephemeral-disk-encryption group to Barbican Tempest configuration options. Enables ephemeral disk encryption for Barbican Tempest tests by updating pre_test_hook.sh, which is run at the start of relevant gate tests. Adds an ephemeral disk encryption scenario test to verify the functionality of encrypted ephemeral storage. The test creates an image, boots an instance from the created image, and writes to a new file in the instance. Improper calls to encrypt the LVM ephemeral disk that is being written to will be caught with this test. Change-Id: I5f194f3c2a91263d4d34204db5cd5845197169bb
Notes
Notes (review): Code-Review+1: dane-fichter <dane.fichter@jhuapl.edu> Code-Review+1: Nam Nguyen Hoai <namnh@vn.fujitsu.com> Code-Review+2: Dave McCowan <dmccowan@cisco.com> Code-Review+1: Brianna Poulos <Brianna.Poulos@jhuapl.edu> Code-Review+2: Kaitlin Farr <kaitlin.farr@jhuapl.edu> Workflow+1: Kaitlin Farr <kaitlin.farr@jhuapl.edu> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Thu, 20 Jul 2017 14:57:18 +0000 Reviewed-on: https://review.openstack.org/455459 Project: openstack/barbican-tempest-plugin Branch: refs/heads/master
-rw-r--r--barbican_tempest_plugin/config.py24
-rw-r--r--barbican_tempest_plugin/plugin.py5
-rw-r--r--barbican_tempest_plugin/tests/scenario/test_ephemeral_disk_encryption.py65
-rwxr-xr-xtools/pre_test_hook.sh15
4 files changed, 109 insertions, 0 deletions
diff --git a/barbican_tempest_plugin/config.py b/barbican_tempest_plugin/config.py
index 4326351..eae7a17 100644
--- a/barbican_tempest_plugin/config.py
+++ b/barbican_tempest_plugin/config.py
@@ -19,3 +19,27 @@ service_option = cfg.BoolOpt("barbican",
19 default=True, 19 default=True,
20 help="Whether or not barbican is expected to be " 20 help="Whether or not barbican is expected to be "
21 "available") 21 "available")
22
23ephemeral_storage_encryption_group = cfg.OptGroup(
24 name="ephemeral_storage_encryption",
25 title="Ephemeral storage encryption options")
26
27EphemeralStorageEncryptionGroup = [
28 cfg.BoolOpt('enabled',
29 default=False,
30 help="Does the test environment support ephemeral storage "
31 "encryption?"),
32 cfg.StrOpt('cipher',
33 default='aes-xts-plain64',
34 help="The cipher and mode used to encrypt ephemeral storage. "
35 "AES-XTS is recommended by NIST specifically for disk "
36 "storage, and the name is shorthand for AES encryption "
37 "using the XTS encryption mode. Available ciphers depend "
38 "on kernel support. At the command line, type "
39 "'cryptsetup benchmark' to determine the available "
40 "options (and see benchmark results), or go to "
41 "/proc/crypto."),
42 cfg.IntOpt('key_size',
43 default=256,
44 help="The key size used to encrypt ephemeral storage."),
45]
diff --git a/barbican_tempest_plugin/plugin.py b/barbican_tempest_plugin/plugin.py
index 2c13b24..a586eb0 100644
--- a/barbican_tempest_plugin/plugin.py
+++ b/barbican_tempest_plugin/plugin.py
@@ -33,6 +33,11 @@ class BarbicanTempestPlugin(plugins.TempestPlugin):
33 conf.register_opt(project_config.service_option, 33 conf.register_opt(project_config.service_option,
34 group='service_available') 34 group='service_available')
35 35
36 # Register ephemeral storage encryption options
37 conf.register_group(project_config.ephemeral_storage_encryption_group)
38 conf.register_opts(project_config.EphemeralStorageEncryptionGroup,
39 project_config.ephemeral_storage_encryption_group)
40
36 def get_opt_lists(self): 41 def get_opt_lists(self):
37 return [('service_available', [project_config.service_option])] 42 return [('service_available', [project_config.service_option])]
38 43
diff --git a/barbican_tempest_plugin/tests/scenario/test_ephemeral_disk_encryption.py b/barbican_tempest_plugin/tests/scenario/test_ephemeral_disk_encryption.py
new file mode 100644
index 0000000..0dc78a9
--- /dev/null
+++ b/barbican_tempest_plugin/tests/scenario/test_ephemeral_disk_encryption.py
@@ -0,0 +1,65 @@
1# Copyright (c) 2017 Johns Hopkins University Applied Physics Laboratory
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15from oslo_log import log as logging
16from tempest import config
17from tempest.lib import decorators
18from tempest import test
19
20from barbican_tempest_plugin.tests.scenario import barbican_manager
21
22CONF = config.CONF
23LOG = logging.getLogger(__name__)
24
25
26class EphemeralStorageEncryptionTest(barbican_manager.BarbicanScenarioTest):
27
28 """The test suite for encrypted ephemeral storage
29
30 This test verifies the functionality of encrypted ephemeral storage.
31 This test performs the following:
32 * Creates an image in Glance
33 * Boots an instance from the image
34 * Writes to a new file in the instance
35 """
36
37 @classmethod
38 def skip_checks(cls):
39 super(EphemeralStorageEncryptionTest, cls).skip_checks()
40 if not CONF.ephemeral_storage_encryption.enabled:
41 raise cls.skipException(
42 'Ephemeral storage encryption is not supported')
43
44 @decorators.idempotent_id('afe720b9-8b35-4a3c-8ff3-15841c2d3148')
45 @test.services('compute', 'image')
46 def test_encrypted_ephemeral_lvm_storage(self):
47 test_string = 'Once upon a time ...'
48 client_test_path = '/tmp/ephemeral_disk_encryption_test'
49 img_uuid = self.sign_and_upload_image()
50 keypair = self.create_keypair()
51 security_group = self._create_security_group()
52 instance = self.create_server(
53 name='signed_img_server',
54 image_id=img_uuid,
55 key_name=keypair['name'],
56 security_groups=[{'name': security_group['name']}],
57 wait_until='ACTIVE')
58 instance_ip = self.get_server_ip(instance)
59 ssh_client = self.get_remote_client(
60 instance_ip,
61 private_key=keypair['private_key'])
62 ssh_client.exec_command('echo "%s" > %s' % (test_string,
63 client_test_path))
64 test_output = ssh_client.exec_command('cat %s' % client_test_path)
65 self.assertEqual(str(test_string), str(test_output.rstrip()))
diff --git a/tools/pre_test_hook.sh b/tools/pre_test_hook.sh
index 2640433..63b123e 100755
--- a/tools/pre_test_hook.sh
+++ b/tools/pre_test_hook.sh
@@ -11,11 +11,22 @@ export LOCALCONF_PATH=$DEVSTACK_DIR/local.conf
11# Here we can set some configurations for local.conf 11# Here we can set some configurations for local.conf
12# for example, to pass some config options directly to .conf files 12# for example, to pass some config options directly to .conf files
13 13
14# Set up LVM device
15echo -e '[[local|localrc]]' >> $LOCALCONF_PATH
16echo -e 'NOVA_BACKEND=LVM' >> $LOCALCONF_PATH
17echo -e 'LVM_VOLUME_CLEAR=none' >> $LOCALCONF_PATH
18
14# For image signature verification tests 19# For image signature verification tests
15echo -e '[[post-config|$NOVA_CONF]]' >> $LOCALCONF_PATH 20echo -e '[[post-config|$NOVA_CONF]]' >> $LOCALCONF_PATH
16echo -e '[glance]' >> $LOCALCONF_PATH 21echo -e '[glance]' >> $LOCALCONF_PATH
17echo -e 'verify_glance_signatures = True' >> $LOCALCONF_PATH 22echo -e 'verify_glance_signatures = True' >> $LOCALCONF_PATH
18 23
24# For ephemeral storage encryption tests
25echo -e '[ephemeral_storage_encryption]' >> $LOCALCONF_PATH
26echo -e 'key_size = 256' >> $LOCALCONF_PATH
27echo -e 'cipher = aes-xts-plain64' >> $LOCALCONF_PATH
28echo -e 'enabled = True' >> $LOCALCONF_PATH
29
19# Allow dynamically created tempest users to create secrets 30# Allow dynamically created tempest users to create secrets
20# in barbican 31# in barbican
21echo -e '[[test-config|$TEMPEST_CONFIG]]' >> $LOCALCONF_PATH 32echo -e '[[test-config|$TEMPEST_CONFIG]]' >> $LOCALCONF_PATH
@@ -24,3 +35,7 @@ echo -e 'tempest_roles=creator' >> $LOCALCONF_PATH
24# Glance v1 doesn't do signature verification on image upload 35# Glance v1 doesn't do signature verification on image upload
25echo -e '[image-feature-enabled]' >> $LOCALCONF_PATH 36echo -e '[image-feature-enabled]' >> $LOCALCONF_PATH
26echo -e 'api_v1=False' >> $LOCALCONF_PATH 37echo -e 'api_v1=False' >> $LOCALCONF_PATH
38
39# Enable ephemeral storage encryption in Tempest
40echo -e '[ephemeral_storage_encryption]' >> $LOCALCONF_PATH
41echo -e 'enabled = True' >> $LOCALCONF_PATH