From 3f38833cd4cc4510a74305fdb5a6a79154667c42 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Mon, 7 Jan 2019 16:52:59 -0500 Subject: [PATCH] Update for new IPAClient IPA code has changed requiring changes to update module paths. Also, tripleo has improved security and changed which networks are accessible, and requiring password authentication for mysql. Also, the format for compact_services has changed. Change-Id: If899dda3950a8020ac1c3e8263a38a3bdcccd325 --- novajoin_tempest_plugin/ipa/ipa_client.py | 3 +- .../tests/scenario/novajoin_manager.py | 30 +++++++++++++++++-- .../tests/scenario/test_tripleo_deployment.py | 4 +-- .../tests/scenario/test_tripleo_tls.py | 12 ++++---- 4 files changed, 34 insertions(+), 15 deletions(-) diff --git a/novajoin_tempest_plugin/ipa/ipa_client.py b/novajoin_tempest_plugin/ipa/ipa_client.py index ff23e35..9394c80 100644 --- a/novajoin_tempest_plugin/ipa/ipa_client.py +++ b/novajoin_tempest_plugin/ipa/ipa_client.py @@ -16,12 +16,11 @@ import os import time import uuid - try: from gssapi.exceptions import GSSError from ipalib import api from ipalib import errors - from ipapython.ipautil import kinit_keytab + from ipalib.install.kinit import kinit_keytab ipalib_imported = True except ImportError: # ipalib/ipapython are not available in PyPy yet, don't make it diff --git a/novajoin_tempest_plugin/tests/scenario/novajoin_manager.py b/novajoin_tempest_plugin/tests/scenario/novajoin_manager.py index 64c64c0..b4ba1e3 100644 --- a/novajoin_tempest_plugin/tests/scenario/novajoin_manager.py +++ b/novajoin_tempest_plugin/tests/scenario/novajoin_manager.py @@ -12,6 +12,8 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +import json +import six import subprocess import time @@ -166,6 +168,19 @@ class NovajoinScenarioTest(manager.ScenarioTest): result = self.ipa_client.show_cert(serial)['result'] self.assertTrue(result['revoked']) + def get_compact_services(self, metadata): + # compact key-per-service + compact_services = {key.split('_', 2)[-1]: json.loads(value) + for key, value in six.iteritems(metadata) + if key.startswith('compact_service_')} + if compact_services: + return compact_services + # legacy compact json format + if 'compact_services' in metadata: + return json.loads(metadata['compact_services']) + + return None + def verify_compact_services(self, services, host, verify_certs=False): for (service, networks) in services.items(): for network in networks: @@ -176,21 +191,30 @@ class NovajoinScenarioTest(manager.ScenarioTest): self.verify_service(service, subhost, verify_certs) def verify_service(self, service, host, verify_certs=False): + LOG.debug("verifying: %s %s ", service, host) self.verify_host_registered_with_ipa(host, add_domain=False) self.verify_service_created(service, host) self.verify_service_managed_by_host(service, host) if verify_certs: self.verify_service_cert(service, host) + LOG.debug("verified: %s %s ", service, host) def verify_service_cert(self, service, host): LOG.debug("Verifying cert for %s %s", service, host) serial = self.get_service_cert(service, host) - if (service == 'mysql' and host == - 'overcloud-controller-0.internalapi.{domain}'.format( - domain=self.ipa_client.domain)): + + internal_controllers = ['{controller}.internalapi.{domain}'.format( + controller=ctl, domain=self.ipa_client.domain) for ctl in + CONF.novajoin.tripleo_controllers] + + # TODO(alee) Need to understand why mysql is different + if service == 'mysql' and host in internal_controllers: pass else: + if serial is None: + LOG.error("Cert NOT verified for %s %s", service, host) self.assertTrue(serial is not None) + LOG.debug("Cert verified for %s %s", service, host) def verify_managed_services(self, services, verify_certs=False): for principal in services: diff --git a/novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py b/novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py index 56b9a03..635a416 100644 --- a/novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py +++ b/novajoin_tempest_plugin/tests/scenario/test_tripleo_deployment.py @@ -11,7 +11,6 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. -import ast from novajoin_tempest_plugin.tests.scenario import novajoin_manager from oslo_log import log as logging @@ -80,8 +79,7 @@ class TripleOTest(novajoin_manager.NovajoinScenarioTest): for host in hosts: metadata = self.servers_client.list_server_metadata( self.get_server_id(host))['metadata'] - services = metadata['compact_services'] - compact_services = ast.literal_eval(services) + compact_services = self.get_compact_services(metadata) print(compact_services) self.verify_compact_services( services=compact_services, diff --git a/novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py b/novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py index aaf18a0..5fb8bb7 100644 --- a/novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py +++ b/novajoin_tempest_plugin/tests/scenario/test_tripleo_tls.py @@ -132,15 +132,13 @@ class TripleOTLSTest(novajoin_manager.NovajoinScenarioTest): self.verify_overcloud_tls_connection( controller_ip=compute_ip, user='heat-admin', - hostport="{host}:{port}".format(host=compute_ip, - port=libvirt_port) + hostport="{host}.internalapi.{domain}:{port}".format( + host=compute, + domain=self.ipa_client.domain, + port=libvirt_port + ) ) - def test_mysql_tls_setup(self): - for controller in CONF.novajoin.tripleo_controllers: - controller_ip = self.get_overcloud_server_ip(controller) - self.verify_mysql_tls_connection('heat-admin', controller_ip) - def test_mysql_nova_connection_with_ssl(self): for controller in CONF.novajoin.tripleo_controllers: controller_ip = self.get_overcloud_server_ip(controller)