From b21cf38faba1f0fc11a74c3a92cec85213f35ec0 Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen@gazlene.net>
Date: Mon, 9 Jul 2018 12:04:01 +0200
Subject: [PATCH] Add beaker tests for openstack_project::server

The openstack_project::server class is the most important piece of
puppet configuration we have, so add tests for it so that we can be
confident about upgrading it.

Unlike the other puppet modules, this module is a subdirectory of the
main repository, so all the tests and Gemfile need to be there. We
symlink back to the main Gemfile in the root of the repository (which is
used by the puppet-syntax check) and update it to be Zuul-compatible
like the Gemfiles in the other modules.

The spec helper depends on having a metadata.json file so it can read
the module name, so add that.

Add in-repo zuul jobs that inherit from the main jobs defined in
openstack-zuul-jobs. We're defining them in-repo instead of just adding
system-config to the list of repositories using these jobs because we
need to override the project_src_dir variable.

Depends-On: https://review.openstack.org/581308
Depends-On: https://review.openstack.org/581004
Depends-On: https://review.openstack.org/581448

Change-Id: Ic56d258573aa2a18d7ca27ea7fe1c2f121cd268f
---
 .zuul.yaml                                    | 37 ++++++++
 Gemfile                                       | 10 ++-
 modules/openstack_project/Gemfile             |  1 +
 modules/openstack_project/metadata.json       | 11 +++
 .../spec/acceptance/basic_spec.rb             | 90 +++++++++++++++++++
 .../spec/acceptance/fixtures/default.pp       | 12 +++
 .../acceptance/fixtures/postconditions.pp     |  6 ++
 .../spec/acceptance/nodesets/default.yml      | 11 +++
 .../acceptance/nodesets/nodepool-centos7.yml  | 10 +++
 .../acceptance/nodesets/nodepool-trusty.yml   | 10 +++
 .../acceptance/nodesets/nodepool-xenial.yml   | 10 +++
 11 files changed, 206 insertions(+), 2 deletions(-)
 create mode 100644 .zuul.yaml
 create mode 120000 modules/openstack_project/Gemfile
 create mode 100644 modules/openstack_project/metadata.json
 create mode 100755 modules/openstack_project/spec/acceptance/basic_spec.rb
 create mode 100644 modules/openstack_project/spec/acceptance/fixtures/default.pp
 create mode 100644 modules/openstack_project/spec/acceptance/fixtures/postconditions.pp
 create mode 100644 modules/openstack_project/spec/acceptance/nodesets/default.yml
 create mode 100644 modules/openstack_project/spec/acceptance/nodesets/nodepool-centos7.yml
 create mode 100644 modules/openstack_project/spec/acceptance/nodesets/nodepool-trusty.yml
 create mode 100644 modules/openstack_project/spec/acceptance/nodesets/nodepool-xenial.yml

diff --git a/.zuul.yaml b/.zuul.yaml
new file mode 100644
index 0000000000..68fa1f751b
--- /dev/null
+++ b/.zuul.yaml
@@ -0,0 +1,37 @@
+- job:
+    name: puppet-beaker-rspec-infra-system-config
+    parent: puppet-beaker-rspec-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- job:
+    name: puppet-beaker-rspec-infra-centos-7-system-config
+    parent: puppet-beaker-rspec-centos-7-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- job:
+    name: puppet-beaker-rspec-puppet-4-infra-system-config
+    parent: puppet-beaker-rspec-puppet-4-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- job:
+    name: puppet-beaker-rspec-puppet-4-centos-7-infra-system-config
+    parent: puppet-beaker-rspec-puppet-4-infra
+    vars:
+      project_src_dir: "{{ zuul.project.src_dir }}/modules/openstack_project"
+
+- project:
+    check:
+      jobs:
+        - puppet-beaker-rspec-infra-system-config
+        - puppet-beaker-rspec-infra-centos-7-system-config
+        - puppet-beaker-rspec-puppet-4-infra-system-config:
+            voting: false
+        - puppet-beaker-rspec-puppet-4-centos-7-infra-system-config:
+            voting: false
+    gate:
+      jobs:
+        - puppet-beaker-rspec-infra-system-config
+        - puppet-beaker-rspec-infra-centos-7-system-config
diff --git a/Gemfile b/Gemfile
index e350f810c5..019213ae22 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,9 +1,15 @@
 source 'https://rubygems.org'
 
+if File.exists?('/home/zuul/src/git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper')
+  gem_checkout_method = {:path => '/home/zuul/src/git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper'}
+else
+  gem_checkout_method = {:git => 'https://git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper'}
+end
+gem_checkout_method[:require] = false
+
 group :development, :test, :system_tests do
   gem 'puppet-openstack_infra_spec_helper',
-      :git     => 'https://git.openstack.org/openstack-infra/puppet-openstack_infra_spec_helper',
-      :require => false
+      gem_checkout_method
 end
 
 # vim:ft=ruby
diff --git a/modules/openstack_project/Gemfile b/modules/openstack_project/Gemfile
new file mode 120000
index 0000000000..2e432fab9e
--- /dev/null
+++ b/modules/openstack_project/Gemfile
@@ -0,0 +1 @@
+../../Gemfile
\ No newline at end of file
diff --git a/modules/openstack_project/metadata.json b/modules/openstack_project/metadata.json
new file mode 100644
index 0000000000..46af576adb
--- /dev/null
+++ b/modules/openstack_project/metadata.json
@@ -0,0 +1,11 @@
+{
+  "name": "openstackinfra-openstack_project",
+  "version": "0.0.1",
+  "author": "Openstack CI",
+  "summary": "Puppet module for openstack_project",
+  "license": "Apache 2.0",
+  "source": "git://git.openstack.org/openstack-infra/system-config.git",
+  "project_page": "http://docs.openstack.org/infra/system-config/",
+  "issues_url": "https://storyboard.openstack.org/#!/project/778",
+  "dependencies": []
+}
diff --git a/modules/openstack_project/spec/acceptance/basic_spec.rb b/modules/openstack_project/spec/acceptance/basic_spec.rb
new file mode 100755
index 0000000000..786c4f075a
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/basic_spec.rb
@@ -0,0 +1,90 @@
+require 'puppet-openstack_infra_spec_helper/spec_helper_acceptance'
+
+describe 'openstack_project::server' do
+
+  def pp_path
+    base_path = File.dirname(__FILE__)
+    File.join(base_path, 'fixtures')
+  end
+
+  def puppet_manifest
+    manifest_path = File.join(pp_path, 'default.pp')
+    File.read(manifest_path)
+  end
+
+  def postconditions_puppet_manifest
+    manifest_path = File.join(pp_path, 'postconditions.pp')
+    File.read(manifest_path)
+  end
+
+  before(:all) do
+    # The ssh_authorized_key resource uses the key comment as a universal
+    # identifier, so if a user's key is already in root's authorized keys, it
+    # conflicts with adding the key for the user itself. Move root's key list
+    # aside temporarily.
+    shell('mv /root/.ssh/authorized_keys /root/.ssh/authorized_keys.bak')
+    # epel is needed to install exim
+    if os[:family] == 'redhat'
+      shell('yum-config-manager --enable epel')
+    end
+  end
+
+  it 'should work with no errors' do
+    apply_manifest(puppet_manifest, catch_failures: true)
+  end
+
+  it 'should be idempotent' do
+    apply_manifest(puppet_manifest, catch_changes: true)
+  end
+
+  it 'should turn root ssh back on' do
+    apply_manifest(postconditions_puppet_manifest, catch_failures: true)
+    shell('mv /root/.ssh/authorized_keys.bak /root/.ssh/authorized_keys')
+  end
+
+  ['mordred',
+   'corvus',
+   'clarkb',
+   'fungi',
+   'jhesketh',
+   'yolanda',
+   'pabelanger',
+   'rcarrillocruz',
+   'ianw',
+   'shrews',
+   'dmsimard',
+   'frickler'].each do |user|
+    describe user(user) do
+      it { should exist }
+    end
+  end
+
+  ['slukjanov', 'elizabeth', 'nibz'].each do |user|
+    describe user(user) do
+      it { should_not exist }
+    end
+  end
+
+  exim = os[:family] == 'ubuntu' ? 'exim4' : 'exim'
+  ntp = os[:family] == 'ubuntu' ? 'ntp' : 'ntpd'
+  services = ['rsyslog', 'unbound', exim, 'snmpd', ntp]
+  if os[:family] == 'ubuntu'
+    services.push('openafs-client')
+  end
+  services.each do |service|
+    describe service(service) do
+      it { should be_running }
+    end
+  end
+
+  describe command('iptables -S') do
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -s 172.99.116.215/32 -p udp -m udp --dport 161 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 29418 -j ACCEPT') }
+    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m tcp --dport 29418 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable') }
+    its(:stdout) { should contain('-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited') }
+  end
+
+end
diff --git a/modules/openstack_project/spec/acceptance/fixtures/default.pp b/modules/openstack_project/spec/acceptance/fixtures/default.pp
new file mode 100644
index 0000000000..bdf3f04206
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/fixtures/default.pp
@@ -0,0 +1,12 @@
+$iptables_rules = ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
+$manage_afs = $::operatingsystem ? {
+  'CentOS' => false,
+  default  => true
+}
+
+class { 'openstack_project::server':
+  iptables_public_tcp_ports => [80, 443, 29418],
+  iptables_rules6           => $iptables_rules,
+  iptables_rules4           => $iptables_rules,
+  afs                       => $manage_afs,
+}
diff --git a/modules/openstack_project/spec/acceptance/fixtures/postconditions.pp b/modules/openstack_project/spec/acceptance/fixtures/postconditions.pp
new file mode 100644
index 0000000000..ba75282e9f
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/fixtures/postconditions.pp
@@ -0,0 +1,6 @@
+# Turn root ssh back on, otherwise we can't post logs
+class { 'ssh':
+  trusted_ssh_type   => 'address',
+  trusted_ssh_source => '23.253.245.198,2001:4800:7818:101:3c21:a454:23ed:4072',
+  permit_root_login  => 'yes',
+}
diff --git a/modules/openstack_project/spec/acceptance/nodesets/default.yml b/modules/openstack_project/spec/acceptance/nodesets/default.yml
new file mode 100644
index 0000000000..3bb3e62648
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/nodesets/default.yml
@@ -0,0 +1,11 @@
+HOSTS:
+  ubuntu-server-1404-x64:
+    roles:
+      - master
+    platform: ubuntu-14.04-amd64
+    box: puppetlabs/ubuntu-14.04-64-nocm
+    box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm
+    hypervisor: vagrant
+CONFIG:
+  log_level: debug
+  type: git
diff --git a/modules/openstack_project/spec/acceptance/nodesets/nodepool-centos7.yml b/modules/openstack_project/spec/acceptance/nodesets/nodepool-centos7.yml
new file mode 100644
index 0000000000..c55287420c
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/nodesets/nodepool-centos7.yml
@@ -0,0 +1,10 @@
+HOSTS:
+  centos-70-x64:
+    roles:
+      - master
+    platform: el-7-x86_64
+    hypervisor: none
+    ip: 127.0.0.1
+CONFIG:
+  type: foss
+  set_env: false
diff --git a/modules/openstack_project/spec/acceptance/nodesets/nodepool-trusty.yml b/modules/openstack_project/spec/acceptance/nodesets/nodepool-trusty.yml
new file mode 100644
index 0000000000..9fc624e24a
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/nodesets/nodepool-trusty.yml
@@ -0,0 +1,10 @@
+HOSTS:
+  ubuntu-14.04-amd64:
+    roles:
+      - master
+    platform: ubuntu-14.04-amd64
+    hypervisor: none
+    ip: 127.0.0.1
+CONFIG:
+  type: foss
+  set_env: false
diff --git a/modules/openstack_project/spec/acceptance/nodesets/nodepool-xenial.yml b/modules/openstack_project/spec/acceptance/nodesets/nodepool-xenial.yml
new file mode 100644
index 0000000000..99dd318778
--- /dev/null
+++ b/modules/openstack_project/spec/acceptance/nodesets/nodepool-xenial.yml
@@ -0,0 +1,10 @@
+HOSTS:
+  ubuntu-16.04-amd64:
+    roles:
+      - master
+    platform: ubuntu-16.04-amd64
+    hypervisor: none
+    ip: 127.0.0.1
+CONFIG:
+  type: foss
+  set_env: false