# Copyright 2019 Red Hat, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import pytest testinfra_hosts = ['adns-letsencrypt.opendev.org', 'bridge.openstack.org', 'letsencrypt01.opendev.org', 'letsencrypt02.opendev.org'] def test_acme_zone(host): if host.backend.get_hostname() != 'adns-letsencrypt.opendev.org': pytest.skip() acme_opendev_zone = host.file('/var/lib/bind/zones/acme.opendev.org/zone.db') assert acme_opendev_zone.exists # On our test nodes, unbound is listening on 127.0.0.1:53; this # ensures the query hits bind query_addr = host.ansible("setup")["ansible_facts"]["ansible_default_ipv4"]["address"] cmd = host.run("dig -t txt acme.opendev.org @" + query_addr) count = 0 for line in cmd.stdout.split('\n'): if line.startswith('acme.opendev.org. 60 IN TXT'): count = count + 1 if count != 6: # NOTE(ianw): I'm sure there's more pytest-y ways to save this # for debugging ... print(cmd.stdout) assert count == 6, "Did not see required number of TXT records!" def test_certs_created(host): if host.backend.get_hostname() == 'letsencrypt01.opendev.org': domain_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key') assert domain_one.exists assert domain_one.user == "root" assert domain_one.group == "letsencrypt" assert domain_one.mode == 0o640 cert_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt01.opendev.org/letsencrypt01.opendev.org.cer') assert cert_one.exists assert cert_one.user == "root" assert cert_one.group == "letsencrypt" assert cert_one.mode == 0o640 ca_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt01.opendev.org/ca.cer') assert ca_one.exists assert ca_one.user == "root" assert ca_one.group == "letsencrypt" assert ca_one.mode == 0o640 domain_two = host.file( '/etc/letsencrypt-certs/' 'someotherservice.opendev.org/someotherservice.opendev.org.key') assert domain_two.exists assert domain_two.user == "root" assert domain_two.group == "letsencrypt" assert domain_two.mode == 0o640 cert_two = host.file( '/etc/letsencrypt-certs/' 'someotherservice.opendev.org/someotherservice.opendev.org.cer') assert cert_two.exists assert cert_two.user == "root" assert cert_two.group == "letsencrypt" assert cert_two.mode == 0o640 ca_two = host.file( '/etc/letsencrypt-certs/' 'someotherservice.opendev.org/ca.cer') assert ca_one.exists assert ca_one.user == "root" assert ca_one.group == "letsencrypt" assert ca_one.mode == 0o640 elif host.backend.get_hostname() == 'letsencrypt02.opendev.org': domain_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key') assert domain_one.exists assert domain_one.user == "root" assert domain_one.group == "letsencrypt" assert domain_one.mode == 0o640 cert_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt02.opendev.org/letsencrypt02.opendev.org.cer') assert cert_one.exists assert cert_one.user == "root" assert cert_one.group == "letsencrypt" assert cert_one.mode == 0o640 ca_one = host.file( '/etc/letsencrypt-certs/' 'letsencrypt02.opendev.org/ca.cer') assert ca_one.exists assert ca_one.user == "root" assert ca_one.group == "letsencrypt" assert ca_one.mode == 0o640 else: pytest.skip() def test_updated_handler(host): if host.backend.get_hostname() == 'letsencrypt01.opendev.org': stamp_file = host.file('/tmp/letsencrypt01-main-service.stamp') assert stamp_file.exists stamp_file = host.file('/tmp/letsencrypt01-other-service.stamp') assert stamp_file.exists elif host.backend.get_hostname() == 'letsencrypt02.opendev.org': stamp_file = host.file('/tmp/letsencrypt02-main-service.stamp') assert stamp_file.exists else: pytest.skip() def test_acme_sh_config(host): if not host.backend.get_hostname().startswith('letsencrypt0'): pytest.skip() config = host.file('/root/.acme.sh/account.conf') assert config.exists assert config.contains("^ACCOUNT_EMAIL='le-test@opendev.org'") def test_certcheck_config(host, zuul_data): if host.backend.get_hostname() != 'bridge.openstack.org': pytest.skip() if zuul_data['extra']['zuul']['job'] != 'system-config-run-letsencrypt': pytest.skip() domainlist = host.file('/var/lib/certcheck/ssldomains') # TODO(ianw): figure out a flag or something from the # system-config-run-letsencrypt test so that we can assert this # file exists only in that case. if not domainlist.exists: pytest.skip() assert domainlist.exists assert domainlist.user == 'certcheck' # from variables assert domainlist.contains('^letsencrypt01.opendev.org 5000') # from extra list; may need to change if list is modified assert domainlist.contains('^wiki.openstack.org 443')