Add multi-backend testing

Use the Juju charm https://jaas.ai/u/ionutbalutoiu/test-saml-idp to deploy two local
SAML-based IdPs, and link them to two instances of the keystone-saml-mellon.

The corresponding Zaza tests will validate that Keystone is properly
setup with the multi-backend pointing to our local IdPs.

Change-Id: I926941e47966330f079929156cdbefd03b00eb64
Func-Test-Pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/480
This commit is contained in:
Ionut Balutoiu 2021-01-08 18:12:55 +00:00
parent 87f50baae7
commit 6196c85842
6 changed files with 159 additions and 147 deletions

View File

@ -60,7 +60,9 @@ relations:
- - ntp:juju-info
- neutron-gateway:juju-info
- - keystone
- keystone-saml-mellon
- keystone-saml-mellon1
- - keystone
- keystone-saml-mellon2
- - vault:shared-db
- mysql:shared-db
- - vault:certificates
@ -70,7 +72,9 @@ relations:
- - vault:certificates
- openstack-dashboard:certificates
- - openstack-dashboard
- keystone-saml-mellon
- keystone-saml-mellon1
- - openstack-dashboard
- keystone-saml-mellon2
- - keystone:websso-trusted-dashboard
- openstack-dashboard:websso-trusted-dashboard
- - vault:certificates
@ -142,13 +146,39 @@ services:
vault:
num_units: 1
charm: cs:~openstack-charmers-next/vault
keystone-saml-mellon:
keystone-saml-mellon1:
series: bionic
charm: ../../../keystone-saml-mellon
num_units: 0
options:
idp-name: 'samltest'
idp-name: 'test-saml-idp1'
protocol-name: 'mapped'
user-facing-name: "samltest.id"
user-facing-name: "Test SAML IDP #1"
subject-confirmation-data-address-check: False
nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
test-saml-idp1:
charm: cs:~ionutbalutoiu/test-saml-idp
num_units: 1
options:
idp-name: 'test-saml-idp1'
protocol-name: 'mapped'
auth-user-name: 'user1'
auth-user-password: 'userpass1'
keystone-saml-mellon2:
series: bionic
charm: ../../../keystone-saml-mellon
num_units: 0
options:
idp-name: 'test-saml-idp2'
protocol-name: 'mapped'
user-facing-name: "Test SAML IDP #2"
subject-confirmation-data-address-check: False
nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
test-saml-idp2:
charm: cs:~ionutbalutoiu/test-saml-idp
num_units: 1
options:
idp-name: 'test-saml-idp2'
protocol-name: 'mapped'
auth-user-name: 'user2'
auth-user-password: 'userpass2'

View File

@ -169,16 +169,43 @@ applications:
to:
- '18'
keystone-saml-mellon:
keystone-saml-mellon1:
series: focal
charm: ../../../keystone-saml-mellon
num_units: 0
options:
idp-name: 'samltest'
idp-name: 'test-saml-idp1'
protocol-name: 'mapped'
user-facing-name: "samltest.id"
user-facing-name: "Test SAML IDP #1"
subject-confirmation-data-address-check: False
nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
test-saml-idp1:
charm: cs:~ionutbalutoiu/test-saml-idp
num_units: 1
options:
idp-name: 'test-saml-idp1'
protocol-name: 'mapped'
auth-user-name: 'user1'
auth-user-password: 'userpass1'
keystone-saml-mellon2:
series: focal
charm: ../../../keystone-saml-mellon
num_units: 0
options:
idp-name: 'test-saml-idp2'
protocol-name: 'mapped'
user-facing-name: "Test SAML IDP #2"
subject-confirmation-data-address-check: False
nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
test-saml-idp2:
charm: cs:~ionutbalutoiu/test-saml-idp
num_units: 1
options:
idp-name: 'test-saml-idp2'
protocol-name: 'mapped'
auth-user-name: 'user2'
auth-user-password: 'userpass2'
keystone-hacluster:
charm: cs:~openstack-charmers-next/hacluster
@ -298,7 +325,9 @@ relations:
- 'neutron-gateway:juju-info'
- - 'keystone'
- 'keystone-saml-mellon'
- 'keystone-saml-mellon1'
- - 'keystone'
- 'keystone-saml-mellon2'
- - 'vault:shared-db'
- 'vault-mysql-router:shared-db'
@ -315,7 +344,9 @@ relations:
- 'openstack-dashboard:certificates'
- - 'openstack-dashboard'
- 'keystone-saml-mellon'
- 'keystone-saml-mellon1'
- - 'openstack-dashboard'
- 'keystone-saml-mellon2'
- - 'keystone:websso-trusted-dashboard'
- 'openstack-dashboard:websso-trusted-dashboard'

View File

@ -169,16 +169,43 @@ applications:
to:
- '18'
keystone-saml-mellon:
keystone-saml-mellon1:
series: focal
charm: ../../../keystone-saml-mellon
num_units: 0
options:
idp-name: 'samltest'
idp-name: 'test-saml-idp1'
protocol-name: 'mapped'
user-facing-name: "samltest.id"
user-facing-name: "Test SAML IDP #1"
subject-confirmation-data-address-check: False
nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
test-saml-idp1:
charm: cs:~ionutbalutoiu/test-saml-idp
num_units: 1
options:
idp-name: 'test-saml-idp1'
protocol-name: 'mapped'
auth-user-name: 'user1'
auth-user-password: 'userpass1'
keystone-saml-mellon2:
series: focal
charm: ../../../keystone-saml-mellon
num_units: 0
options:
idp-name: 'test-saml-idp2'
protocol-name: 'mapped'
user-facing-name: "Test SAML IDP #2"
subject-confirmation-data-address-check: False
nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
test-saml-idp2:
charm: cs:~ionutbalutoiu/test-saml-idp
num_units: 1
options:
idp-name: 'test-saml-idp2'
protocol-name: 'mapped'
auth-user-name: 'user2'
auth-user-password: 'userpass2'
keystone-hacluster:
charm: cs:~openstack-charmers-next/hacluster
@ -298,7 +325,9 @@ relations:
- 'neutron-gateway:juju-info'
- - 'keystone'
- 'keystone-saml-mellon'
- 'keystone-saml-mellon1'
- - 'keystone'
- 'keystone-saml-mellon2'
- - 'vault:shared-db'
- 'vault-mysql-router:shared-db'
@ -315,7 +344,9 @@ relations:
- 'openstack-dashboard:certificates'
- - 'openstack-dashboard'
- 'keystone-saml-mellon'
- 'keystone-saml-mellon1'
- - 'openstack-dashboard'
- 'keystone-saml-mellon2'
- - 'keystone:websso-trusted-dashboard'
- 'openstack-dashboard:websso-trusted-dashboard'

View File

@ -169,16 +169,43 @@ applications:
to:
- '18'
keystone-saml-mellon:
keystone-saml-mellon1:
series: groovy
charm: ../../../keystone-saml-mellon
num_units: 0
options:
idp-name: 'samltest'
idp-name: 'test-saml-idp1'
protocol-name: 'mapped'
user-facing-name: "samltest.id"
user-facing-name: "Test SAML IDP #1"
subject-confirmation-data-address-check: False
nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
test-saml-idp1:
charm: cs:~ionutbalutoiu/test-saml-idp
num_units: 1
options:
idp-name: 'test-saml-idp1'
protocol-name: 'mapped'
auth-user-name: 'user1'
auth-user-password: 'userpass1'
keystone-saml-mellon2:
series: groovy
charm: ../../../keystone-saml-mellon
num_units: 0
options:
idp-name: 'test-saml-idp2'
protocol-name: 'mapped'
user-facing-name: "Test SAML IDP #2"
subject-confirmation-data-address-check: False
nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
test-saml-idp2:
charm: cs:~ionutbalutoiu/test-saml-idp
num_units: 1
options:
idp-name: 'test-saml-idp2'
protocol-name: 'mapped'
auth-user-name: 'user2'
auth-user-password: 'userpass2'
keystone-hacluster:
charm: cs:~openstack-charmers-next/hacluster
@ -298,7 +325,9 @@ relations:
- 'neutron-gateway:juju-info'
- - 'keystone'
- 'keystone-saml-mellon'
- 'keystone-saml-mellon1'
- - 'keystone'
- 'keystone-saml-mellon2'
- - 'vault:shared-db'
- 'vault-mysql-router:shared-db'
@ -315,7 +344,9 @@ relations:
- 'openstack-dashboard:certificates'
- - 'openstack-dashboard'
- 'keystone-saml-mellon'
- 'keystone-saml-mellon1'
- - 'openstack-dashboard'
- 'keystone-saml-mellon2'
- - 'keystone:websso-trusted-dashboard'
- 'openstack-dashboard:websso-trusted-dashboard'

View File

@ -1,123 +0,0 @@
<!-- The entity describing the SAMLtest IdP, named by the entityID below -->
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="SAMLtestIdP" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://samltest.id/saml/idp">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
<Extensions>
<!-- An enumeration of the domains this IdP is able to assert scoped attributes, which are
typically those with a @ delimiter, like mail. Most IdP's serve only a single domain. It's crucial
for the SP to check received attribute values match permitted domains to prevent a recognized IdP from
sending attribute values for which a different recognized IdP is authoritative. -->
<shibmd:Scope regexp="false">samltest.id</shibmd:Scope>
<!-- Display information about this IdP that can be used by SP's and discovery
services to identify the IdP meaningfully for end users -->
<mdui:UIInfo>
<mdui:DisplayName xml:lang="en">SAMLtest IdP</mdui:DisplayName>
<mdui:Description xml:lang="en">A free and basic IdP for testing SAML deployments</mdui:Description>
<mdui:Logo height="90" width="225">https://samltest.id/saml/logo.png</mdui:Logo>
</mdui:UIInfo>
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDETCCAfmgAwIBAgIUZRpDhkNKl5eWtJqk0Bu1BgTTargwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwHhcNMTgwODI0MjExNDEwWhcNMzgw
ODI0MjExNDEwWjAWMRQwEgYDVQQDDAtzYW1sdGVzdC5pZDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJrh9/PcDsiv3UeL8Iv9rf4WfLPxuOm9W6aCntEA
8l6c1LQ1Zyrz+Xa/40ZgP29ENf3oKKbPCzDcc6zooHMji2fBmgXp6Li3fQUzu7yd
+nIC2teejijVtrNLjn1WUTwmqjLtuzrKC/ePoZyIRjpoUxyEMJopAd4dJmAcCq/K
k2eYX9GYRlqvIjLFoGNgy2R4dWwAKwljyh6pdnPUgyO/WjRDrqUBRFrLQJorR2kD
c4seZUbmpZZfp4MjmWMDgyGM1ZnR0XvNLtYeWAyt0KkSvFoOMjZUeVK/4xR74F8e
8ToPqLmZEg9ZUx+4z2KjVK00LpdRkH9Uxhh03RQ0FabHW6UCAwEAAaNXMFUwHQYD
VR0OBBYEFJDbe6uSmYQScxpVJhmt7PsCG4IeMDQGA1UdEQQtMCuCC3NhbWx0ZXN0
LmlkhhxodHRwczovL3NhbWx0ZXN0LmlkL3NhbWwvaWRwMA0GCSqGSIb3DQEBCwUA
A4IBAQBNcF3zkw/g51q26uxgyuy4gQwnSr01Mhvix3Dj/Gak4tc4XwvxUdLQq+jC
cxr2Pie96klWhY/v/JiHDU2FJo9/VWxmc/YOk83whvNd7mWaNMUsX3xGv6AlZtCO
L3JhCpHjiN+kBcMgS5jrtGgV1Lz3/1zpGxykdvS0B4sPnFOcaCwHe2B9SOCWbDAN
JXpTjz1DmJO4ImyWPJpN1xsYKtm67Pefxmn0ax0uE2uuzq25h0xbTkqIQgJzyoE/
DPkBFK1vDkMfAW11dQ0BXatEnW7Gtkc0lh2/PIbHWj4AzxYMyBf5Gy6HSVOftwjC
voQR2qr2xJBixsg+MIORKtmKHLfU
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEB
CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4
MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0
ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOE
jj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1kl
bN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF
/cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8n
spXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0G
A1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVz
dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF
AAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn
7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHT
TNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nbl
D1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcU
ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu
3kXPjhSfj1AJGR1l9JGvJrHki1iHTA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDEjCCAfqgAwIBAgIVAPVbodo8Su7/BaHXUHykx0Pi5CFaMA0GCSqGSIb3DQEB
CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4
MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCQb+1a7uDdTTBBFfwOUun3IQ9nEuKM98SmJDWa
MwM877elswKUTIBVh5gB2RIXAPZt7J/KGqypmgw9UNXFnoslpeZbA9fcAqqu28Z4
sSb2YSajV1ZgEYPUKvXwQEmLWN6aDhkn8HnEZNrmeXihTFdyr7wjsLj0JpQ+VUlc
4/J+hNuU7rGYZ1rKY8AA34qDVd4DiJ+DXW2PESfOu8lJSOteEaNtbmnvH8KlwkDs
1NvPTsI0W/m4SK0UdXo6LLaV8saIpJfnkVC/FwpBolBrRC/Em64UlBsRZm2T89ca
uzDee2yPUvbBd5kLErw+sC7i4xXa2rGmsQLYcBPhsRwnmBmlAgMBAAGjVzBVMB0G
A1UdDgQWBBRZ3exEu6rCwRe5C7f5QrPcAKRPUjA0BgNVHREELTArggtzYW1sdGVz
dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF
AAOCAQEABZDFRNtcbvIRmblnZItoWCFhVUlq81ceSQddLYs8DqK340//hWNAbYdj
WcP85HhIZnrw6NGCO4bUipxZXhiqTA/A9d1BUll0vYB8qckYDEdPDduYCOYemKkD
dmnHMQWs9Y6zWiYuNKEJ9mf3+1N8knN/PK0TYVjVjXAf2CnOETDbLtlj6Nqb8La3
sQkYmU+aUdopbjd5JFFwbZRaj6KiHXHtnIRgu8sUXNPrgipUgZUOVhP0C0N5OfE4
JW8ZBrKgQC/6vJ2rSa9TlzI6JAa5Ww7gMXMP9M+cJUNQklcq+SBnTK8G+uBHgPKR
zBDsMIEzRtQZm4GIoHJae4zmnCekkQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<!-- A set of endpoints where the IdP can receive logout messages. These must match the public
facing addresses if this IdP is hosted behind a reverse proxy. -->
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SLO"/>
<!-- An endpoint for artifact resolution. Please see Wikipedia for more details about SAML
artifacts and when you may find them useful. -->
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ArtifactResolution" index="1" />
<!-- A set of endpoints the SP can send AuthnRequests to in order to trigger user authentication. -->
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://samltest.id/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ECP"/>
</IDPSSODescriptor>
</EntityDescriptor>

View File

@ -11,16 +11,19 @@ gate_bundles:
configure:
- zaza.openstack.charm_tests.vault.setup.auto_initialize
- zaza.openstack.charm_tests.saml_mellon.setup.attach_saml_resources
- zaza.openstack.charm_tests.saml_mellon.setup.attach_saml_resources_idp1
- zaza.openstack.charm_tests.saml_mellon.setup.attach_saml_resources_idp2
- zaza.openstack.charm_tests.keystone.setup.add_demo_user
- zaza.openstack.charm_tests.glance.setup.add_lts_image
- zaza.openstack.charm_tests.nova.setup.create_flavors
- zaza.openstack.charm_tests.nova.setup.manage_ssh_key
- zaza.openstack.charm_tests.neutron.setup.basic_overcloud_network
- zaza.openstack.charm_tests.saml_mellon.setup.keystone_federation_setup
- zaza.openstack.charm_tests.saml_mellon.setup.keystone_federation_setup_idp1
- zaza.openstack.charm_tests.saml_mellon.setup.keystone_federation_setup_idp2
tests:
- zaza.openstack.charm_tests.saml_mellon.tests.CharmKeystoneSAMLMellonTest
- zaza.openstack.charm_tests.saml_mellon.tests.CharmKeystoneSAMLMellonIDP1Test
- zaza.openstack.charm_tests.saml_mellon.tests.CharmKeystoneSAMLMellonIDP2Test
- zaza.openstack.charm_tests.keystone.tests.AuthenticationAuthorizationTest
target_deploy_status:
@ -30,9 +33,18 @@ target_deploy_status:
vault:
workload-status: blocked
workload-status-message: Vault needs to be initialized
keystone-saml-mellon:
keystone-saml-mellon1:
workload-status: blocked
workload-status-message: "Configuration is incomplete. idp-metadata: idp-metadata resource has not been provided,sp-signing-keyinfo: sp-signing-keyinfo resource has not been provided,sp-private-key: sp-private-key resource has not been provided"
test-saml-idp1:
workload-status: blocked
workload-status-message: "sp-metadata resource is not a well-formed xml file"
keystone-saml-mellon2:
workload-status: blocked
workload-status-message: "Configuration is incomplete. idp-metadata: idp-metadata resource has not been provided,sp-signing-keyinfo: sp-signing-keyinfo resource has not been provided,sp-private-key: sp-private-key resource has not been provided"
test-saml-idp2:
workload-status: blocked
workload-status-message: "sp-metadata resource is not a well-formed xml file"
tests_options:
force_deploy: