Delete certs when deleting bay

Currently Magnum fails to delete certificates when barbican
cert manager is used. The code was copied from neutron-lbaas and
they have different usecase. In our case, certificate is managed by
Magnum not users, so we should delete certificates when deleting bay.
So this patch deletes all the certs related to a bay.

Change-Id: I5aab01641b9447153911680c5f68e5fe2c5a1409
Closes-bug: #1587033

magnum/common/cert_manager/barbican_cert_manager.py

@@ -190,34 +190,7 @@ class CertManager(cert_manager.CertManager):
     @staticmethod
     def delete_cert(cert_ref, service_name='Magnum', resource_ref=None,
                     **kwargs):
-        """Deregister as a consumer for the specified cert.
+        """Deletes the specified cert.
-
-        :param cert_ref: the UUID of the cert to retrieve
-        :param service_name: Friendly name for the consuming service
-        :param resource_ref: Full HATEOAS reference to the consuming resource
-
-        :raises Exception: if deregistration fails
-        """
-        connection = get_admin_clients().barbican()
-
-        LOG.info(_LI(
-            "Deregistering as a consumer of {0} in Barbican."
-        ).format(cert_ref))
-        try:
-            connection.containers.remove_consumer(
-                container_ref=cert_ref,
-                name=service_name,
-                url=resource_ref
-            )
-        except Exception:
-            with excutils.save_and_reraise_exception():
-                LOG.exception(_LE(
-                    "Error deregistering as a consumer of {0}"
-                ).format(cert_ref))
-
-    @staticmethod
-    def _actually_delete_cert(cert_ref):
-        """Deletes the specified cert. Very dangerous. Do not recommend.
 
         :param cert_ref: the UUID of the cert to delete
         :raises Exception: if certificate deletion fails

magnum/conductor/handlers/bay_conductor.py

@@ -229,7 +229,7 @@ class Handler(object):
                 context, taxonomy.ACTION_DELETE, taxonomy.OUTCOME_PENDING)
             osc.heat().stacks.delete(stack_id)
         except exc.HTTPNotFound:
-            LOG.info(_LI('The stack %s was not be found during bay'
+            LOG.info(_LI('The stack %s was not found during bay'
                          ' deletion.'), stack_id)
             try:
                 trust_manager.delete_trustee_and_trust(osc, context, bay)

magnum/tests/functional/api/v1/test_bay.py

@@ -114,6 +114,9 @@ class BayTest(base.BaseMagnumTest):
         resp, model = self.bay_client.delete_bay(bay_id)
         self.assertEqual(204, resp.status)
         self.bay_client.wait_for_bay_to_delete(bay_id)
+        self.assertRaises(
+            exceptions.NotFound,
+            self.cert_client.get_cert, bay_id)
         return resp, model
 
     def _get_bay_by_id(self, bay_id):

magnum/tests/unit/common/cert_manager/test_barbican.py

@@ -274,33 +274,13 @@ class TestBarbicanManager(base.BaseTestCase):
 
     @patch('magnum.common.clients.OpenStackClients.barbican')
     def test_delete_cert(self, mock_barbican):
-        # Mock out the client
-        bc = mock.MagicMock()
-        mock_barbican.return_value = bc
-
-        # Attempt to deregister as a consumer
-        bcm.CertManager.delete_cert(
-            cert_ref=self.container_ref,
-            resource_ref=self.container_ref,
-            service_name='Magnum'
-        )
-
-        # remove_consumer should be called once with the container_ref
-        bc.containers.remove_consumer.assert_called_once_with(
-            container_ref=self.container_ref,
-            url=self.container_ref,
-            name='Magnum'
-        )
-
-    @patch('magnum.common.clients.OpenStackClients.barbican')
-    def test_actually_delete_cert(self, mock_barbican):
         # Mock out the client
         bc = mock.MagicMock()
         bc.containers.get.return_value = self.container
         mock_barbican.return_value = bc
 
-        # Attempt to store a cert
+        # Attempt to delete a cert
-        bcm.CertManager._actually_delete_cert(
+        bcm.CertManager.delete_cert(
             cert_ref=self.container_ref
         )
 

magnum/tests/unit/conductor/handlers/test_bay_conductor.py

@@ -448,8 +448,9 @@ class TestHandler(db_base.DbTestCase):
             template='some template yaml',
             timeout_mins=timeout)
 
+    @patch('magnum.conductor.handlers.bay_conductor.cert_manager')
     @patch('magnum.common.clients.OpenStackClients')
-    def test_bay_delete(self, mock_openstack_client_class):
+    def test_bay_delete(self, mock_openstack_client_class, cert_manager):
         osc = mock.MagicMock()
         mock_openstack_client_class.return_value = osc
         osc.heat.side_effect = exc.HTTPNotFound
@@ -465,12 +466,16 @@ class TestHandler(db_base.DbTestCase):
             'magnum.bay.delete', notifications[1].event_type)
         self.assertEqual(
             taxonomy.OUTCOME_SUCCESS, notifications[1].payload['outcome'])
+        self.assertEqual(1,
+                         cert_manager.delete_certificates_from_bay.call_count)
         # The bay has been destroyed
         self.assertRaises(exception.BayNotFound,
                           objects.Bay.get, self.context, self.bay.uuid)
 
+    @patch('magnum.conductor.handlers.bay_conductor.cert_manager')
     @patch('magnum.common.clients.OpenStackClients')
-    def test_bay_delete_conflict(self, mock_openstack_client_class):
+    def test_bay_delete_conflict(self, mock_openstack_client_class,
+                                 cert_manager):
         osc = mock.MagicMock()
         mock_openstack_client_class.return_value = osc
         osc.heat.side_effect = exc.HTTPConflict
@@ -489,6 +494,8 @@ class TestHandler(db_base.DbTestCase):
             'magnum.bay.delete', notifications[1].event_type)
         self.assertEqual(
             taxonomy.OUTCOME_FAILURE, notifications[1].payload['outcome'])
+        self.assertEqual(0,
+                         cert_manager.delete_certificates_from_bay.call_count)
 
 
 class TestHeatPoller(base.TestCase):