This test automate SSL checks.
First test automate following test case: Check MOS services are NOT running ssl on public endpoints when TLS is disabled. Second test automate following test case: Check cluster creation with SSL is enabled only on Master node. Also test fixed typo in comment in test_cli.py Related bug: 1544542 Change-Id: I506c0a3763c208e04011e6f75577812d2a959f04
This commit is contained in:
parent
16b3b509da
commit
3346b9116a
@ -670,3 +670,8 @@ Deployment with platform components
|
|||||||
Template based tests
|
Template based tests
|
||||||
--------------------
|
--------------------
|
||||||
.. automodule:: fuelweb_test.actions_tests
|
.. automodule:: fuelweb_test.actions_tests
|
||||||
|
|
||||||
|
Test for ssl components
|
||||||
|
-----------------------
|
||||||
|
.. automodule:: fuelweb_test.tests.test_ssl
|
||||||
|
:members:
|
@ -51,7 +51,7 @@ def save_logs(url, path, auth_token=None, chunk_size=1024):
|
|||||||
if auth_token is not None:
|
if auth_token is not None:
|
||||||
headers['X-Auth-Token'] = auth_token
|
headers['X-Auth-Token'] = auth_token
|
||||||
|
|
||||||
stream = requests.get(url, headers=headers, stream=True)
|
stream = requests.get(url, headers=headers, stream=True, verify=False)
|
||||||
if stream.status_code != 200:
|
if stream.status_code != 200:
|
||||||
logger.error("%s %s: %s", stream.status_code, stream.reason,
|
logger.error("%s %s: %s", stream.status_code, stream.reason,
|
||||||
stream.content)
|
stream.content)
|
||||||
@ -315,7 +315,13 @@ def create_diagnostic_snapshot(env, status, name=""):
|
|||||||
task = env.fuel_web.task_wait(env.fuel_web.client.generate_logs(), 60 * 10)
|
task = env.fuel_web.task_wait(env.fuel_web.client.generate_logs(), 60 * 10)
|
||||||
assert_true(task['status'] == 'ready',
|
assert_true(task['status'] == 'ready',
|
||||||
"Generation of diagnostic snapshot failed: {}".format(task))
|
"Generation of diagnostic snapshot failed: {}".format(task))
|
||||||
url = "http://{}:8000{}".format(env.get_admin_node_ip(), task['message'])
|
if settings.FORCE_HTTPS_MASTER_NODE:
|
||||||
|
url = "https://{}:8443{}".format(env.get_admin_node_ip(),
|
||||||
|
task['message'])
|
||||||
|
else:
|
||||||
|
url = "http://{}:8000{}".format(env.get_admin_node_ip(),
|
||||||
|
task['message'])
|
||||||
|
|
||||||
log_file_name = '{status}_{name}-{basename}'.format(
|
log_file_name = '{status}_{name}-{basename}'.format(
|
||||||
status=status,
|
status=status,
|
||||||
name=name,
|
name=name,
|
||||||
|
@ -621,3 +621,7 @@ class OpenStackActions(common.Common):
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
return self.neutron.create_router(router_info)['router']
|
return self.neutron.create_router(router_info)['router']
|
||||||
|
|
||||||
|
def get_keystone_endpoints(self):
|
||||||
|
endpoints = self.keystone.endpoints.list()
|
||||||
|
return endpoints
|
||||||
|
@ -444,7 +444,8 @@ class EnvironmentModel(object):
|
|||||||
def setup_environment(self, custom=settings.CUSTOM_ENV,
|
def setup_environment(self, custom=settings.CUSTOM_ENV,
|
||||||
build_images=settings.BUILD_IMAGES,
|
build_images=settings.BUILD_IMAGES,
|
||||||
iso_connect_as=settings.ADMIN_BOOT_DEVICE,
|
iso_connect_as=settings.ADMIN_BOOT_DEVICE,
|
||||||
security=settings.SECURITY_TEST):
|
security=settings.SECURITY_TEST,
|
||||||
|
force_ssl=settings.FORCE_HTTPS_MASTER_NODE):
|
||||||
# Create environment and start the Fuel master node
|
# Create environment and start the Fuel master node
|
||||||
admin = self.d_env.nodes().admin
|
admin = self.d_env.nodes().admin
|
||||||
self.d_env.start([admin])
|
self.d_env.start([admin])
|
||||||
@ -565,6 +566,29 @@ class EnvironmentModel(object):
|
|||||||
)
|
)
|
||||||
logger.debug('Offloading settings:\n{0}\n'.format(
|
logger.debug('Offloading settings:\n{0}\n'.format(
|
||||||
''.join(result['stdout'])))
|
''.join(result['stdout'])))
|
||||||
|
if force_ssl:
|
||||||
|
self.enable_force_https(self.ssh_manager.admin_ip)
|
||||||
|
|
||||||
|
@logwrap
|
||||||
|
def enable_force_https(self, admin_node_ip):
|
||||||
|
cmd = """
|
||||||
|
echo -e '"SSL":\n "force_https": "true"' >> /etc/fuel/astute.yaml
|
||||||
|
"""
|
||||||
|
self.ssh_manager.execute_on_remote(admin_node_ip, cmd)
|
||||||
|
cmd = "find / -name \"nginx_services.pp\""
|
||||||
|
puppet_manifest = \
|
||||||
|
self.ssh_manager.execute_on_remote(
|
||||||
|
admin_node_ip, cmd)['stdout'][0].strip()
|
||||||
|
cmd = 'puppet apply {0}'.format(puppet_manifest)
|
||||||
|
self.ssh_manager.execute_on_remote(admin_node_ip, cmd)
|
||||||
|
cmd = """
|
||||||
|
systemctl status nginx.service |
|
||||||
|
awk 'match($0, /\s+Active:.*\((\w+)\)/, a) {print a[1]}'
|
||||||
|
"""
|
||||||
|
wait(lambda: (
|
||||||
|
self.ssh_manager.execute_on_remote(
|
||||||
|
admin_node_ip, cmd)['stdout'][0] != 'dead'), interval=10,
|
||||||
|
timeout=30)
|
||||||
|
|
||||||
@update_rpm_packages
|
@update_rpm_packages
|
||||||
@upload_manifests
|
@upload_manifests
|
||||||
|
@ -16,6 +16,7 @@ from fuelweb_test import logwrap
|
|||||||
from fuelweb_test import logger
|
from fuelweb_test import logger
|
||||||
from fuelweb_test.helpers.decorators import json_parse
|
from fuelweb_test.helpers.decorators import json_parse
|
||||||
from fuelweb_test.helpers.http import HTTPClient
|
from fuelweb_test.helpers.http import HTTPClient
|
||||||
|
from fuelweb_test.settings import FORCE_HTTPS_MASTER_NODE
|
||||||
from fuelweb_test.settings import KEYSTONE_CREDS
|
from fuelweb_test.settings import KEYSTONE_CREDS
|
||||||
from fuelweb_test.settings import OPENSTACK_RELEASE
|
from fuelweb_test.settings import OPENSTACK_RELEASE
|
||||||
|
|
||||||
@ -24,12 +25,14 @@ class NailgunClient(object):
|
|||||||
"""NailgunClient""" # TODO documentation
|
"""NailgunClient""" # TODO documentation
|
||||||
|
|
||||||
def __init__(self, admin_node_ip, **kwargs):
|
def __init__(self, admin_node_ip, **kwargs):
|
||||||
url = "http://{0}:8000".format(admin_node_ip)
|
if FORCE_HTTPS_MASTER_NODE:
|
||||||
|
url = "https://{0}:8443".format(admin_node_ip)
|
||||||
|
else:
|
||||||
|
url = "http://{0}:8000".format(admin_node_ip)
|
||||||
logger.info('Initiate Nailgun client with url %s', url)
|
logger.info('Initiate Nailgun client with url %s', url)
|
||||||
self.keystone_url = "http://{0}:5000/v2.0".format(admin_node_ip)
|
self.keystone_url = "http://{0}:5000/v2.0".format(admin_node_ip)
|
||||||
self._client = HTTPClient(url=url, keystone_url=self.keystone_url,
|
self._client = HTTPClient(url=url, keystone_url=self.keystone_url,
|
||||||
credentials=KEYSTONE_CREDS,
|
credentials=KEYSTONE_CREDS, **kwargs)
|
||||||
**kwargs)
|
|
||||||
super(NailgunClient, self).__init__()
|
super(NailgunClient, self).__init__()
|
||||||
|
|
||||||
def __repr__(self):
|
def __repr__(self):
|
||||||
|
@ -54,6 +54,7 @@ ADMIN_BOOT_DEVICE = os.environ.get('ADMIN_BOOT_DEVICE', 'cdrom')
|
|||||||
DNS = os.environ.get('DNS', '8.8.8.8')
|
DNS = os.environ.get('DNS', '8.8.8.8')
|
||||||
PUBLIC_TEST_IP = os.environ.get('PUBLIC_TEST_IP', '8.8.8.8')
|
PUBLIC_TEST_IP = os.environ.get('PUBLIC_TEST_IP', '8.8.8.8')
|
||||||
|
|
||||||
|
FORCE_HTTPS_MASTER_NODE = get_var_as_bool('FORCE_HTTPS_MASTER_NODE', False)
|
||||||
DISABLE_SSL = get_var_as_bool('DISABLE_SSL', False)
|
DISABLE_SSL = get_var_as_bool('DISABLE_SSL', False)
|
||||||
VERIFY_SSL = get_var_as_bool('VERIFY_SSL', False)
|
VERIFY_SSL = get_var_as_bool('VERIFY_SSL', False)
|
||||||
SSL_CN = os.environ.get('SSL_CN', 'public.fuel.local')
|
SSL_CN = os.environ.get('SSL_CN', 'public.fuel.local')
|
||||||
|
@ -227,7 +227,7 @@ class CommandLineTest(test_cli_base.CommandLine):
|
|||||||
current_ssl_keypair)
|
current_ssl_keypair)
|
||||||
))
|
))
|
||||||
assert_equal(old_ssl_keypair, current_ssl_keypair,
|
assert_equal(old_ssl_keypair, current_ssl_keypair,
|
||||||
message="SSL keypiars are not equal")
|
message="SSL keypairs are not equal")
|
||||||
# Check floating ranges are equal after cluster deploy
|
# Check floating ranges are equal after cluster deploy
|
||||||
actual_floating_ranges = self.hiera_floating_ranges(controller_node)
|
actual_floating_ranges = self.hiera_floating_ranges(controller_node)
|
||||||
logger.info("Current floating ranges: {0}".format(
|
logger.info("Current floating ranges: {0}".format(
|
||||||
|
93
fuelweb_test/tests/test_ssl.py
Normal file
93
fuelweb_test/tests/test_ssl.py
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
import httplib
|
||||||
|
from urlparse import urlparse
|
||||||
|
|
||||||
|
from proboscis import test
|
||||||
|
from proboscis.asserts import assert_equal
|
||||||
|
|
||||||
|
from fuelweb_test.helpers.decorators import log_snapshot_after_test
|
||||||
|
from fuelweb_test.settings import DEPLOYMENT_MODE
|
||||||
|
from fuelweb_test.tests.base_test_case import SetupEnvironment
|
||||||
|
from fuelweb_test.tests.base_test_case import TestBasic
|
||||||
|
from fuelweb_test.helpers.os_actions import OpenStackActions
|
||||||
|
|
||||||
|
|
||||||
|
@test(groups=["ssl"])
|
||||||
|
class SSL_Tests(TestBasic):
|
||||||
|
@test(depends_on=[SetupEnvironment.prepare_release],
|
||||||
|
groups=["master_node_with_https_only"])
|
||||||
|
@log_snapshot_after_test
|
||||||
|
def master_node_with_https_only(self):
|
||||||
|
"""Check cluster creation with SSL is enabled only on Master node
|
||||||
|
|
||||||
|
Scenario:
|
||||||
|
1. Revert the snapshot "ready" with forced https
|
||||||
|
2. Check that we cannot connect to master node by http(8000 port)
|
||||||
|
3. Bootstrap slaves nodes and
|
||||||
|
check here that they appears in nailgun
|
||||||
|
|
||||||
|
Duration 30m
|
||||||
|
"""
|
||||||
|
self.show_step(1)
|
||||||
|
self.env.revert_snapshot("ready")
|
||||||
|
admin_ip = self.ssh_manager.admin_ip
|
||||||
|
self.show_step(2)
|
||||||
|
connection = httplib.HTTPConnection(admin_ip, 8000)
|
||||||
|
connection.request("GET", "/")
|
||||||
|
response = connection.getresponse()
|
||||||
|
assert_equal(str(response.status), '301',
|
||||||
|
message="HTTP was not disabled for master node")
|
||||||
|
self.show_step(3)
|
||||||
|
self.env.bootstrap_nodes(self.env.d_env.nodes().slaves[:2])
|
||||||
|
nodes = self.fuel_web.client.list_nodes()
|
||||||
|
assert_equal(2, len(nodes))
|
||||||
|
self.env.make_snapshot("master_node_with_https_only", is_make=True)
|
||||||
|
|
||||||
|
@test(depends_on=['master_node_with_https_only'],
|
||||||
|
groups=["endpoints_with_disabled_ssl"])
|
||||||
|
@log_snapshot_after_test
|
||||||
|
def endpoints_with_disabled_ssl(self):
|
||||||
|
"""Check MOS services are NOT running ssl on public endpoints
|
||||||
|
when TLS is disabled
|
||||||
|
|
||||||
|
Scenario:
|
||||||
|
1. Revert snapshot "master_node_with_https_only"
|
||||||
|
2. Create a new cluster
|
||||||
|
3. Disable TLS for public endpoints
|
||||||
|
4. Deploy cluster
|
||||||
|
5. Run OSTF
|
||||||
|
6. Check that all endpoints link to plain http protocol.
|
||||||
|
|
||||||
|
Duration 30m
|
||||||
|
"""
|
||||||
|
self.show_step(1)
|
||||||
|
self.env.revert_snapshot("master_node_with_https_only")
|
||||||
|
self.show_step(2)
|
||||||
|
self.show_step(3)
|
||||||
|
cluster_id = self.fuel_web.create_cluster(
|
||||||
|
name=self.__class__.__name__,
|
||||||
|
configure_ssl=False,
|
||||||
|
mode=DEPLOYMENT_MODE)
|
||||||
|
self.fuel_web.update_nodes(
|
||||||
|
cluster_id,
|
||||||
|
{
|
||||||
|
'slave-01': ['controller'],
|
||||||
|
'slave-02': ['compute', 'cinder'],
|
||||||
|
}
|
||||||
|
)
|
||||||
|
self.show_step(4)
|
||||||
|
self.fuel_web.deploy_cluster_wait(cluster_id)
|
||||||
|
self.show_step(5)
|
||||||
|
# Run OSTF
|
||||||
|
self.fuel_web.run_ostf(cluster_id=cluster_id,
|
||||||
|
test_sets=['smoke'])
|
||||||
|
self.show_step(6)
|
||||||
|
# Get controller ip address
|
||||||
|
controller_keystone_ip = self.fuel_web.get_public_vip(cluster_id)
|
||||||
|
action = OpenStackActions(controller_ip=controller_keystone_ip)
|
||||||
|
endpoint_list = action.get_keystone_endpoints()
|
||||||
|
for endpoint in endpoint_list:
|
||||||
|
url = urlparse(endpoint.publicurl)
|
||||||
|
assert_equal(url.scheme, "http",
|
||||||
|
message=(
|
||||||
|
"Endpoint id {0} uses {1} instead http.".format(
|
||||||
|
endpoint.id, url.scheme)))
|
Loading…
Reference in New Issue
Block a user