Drop the root requirement for LibreSwanDriver

Change-Id: I880ef5dad6723de06da5dd8a424f7158d65b5a35
Closes-Bug: #1644517

etc/neutron/rootwrap.d/vpnaas.filters

@@ -13,6 +13,7 @@ ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 ipsec: CommandFilter, ipsec, root
 rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
+rm_file: RegExpFilter, rm, root, rm, -f, .*/ipsec.secrets
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root

neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py

@@ -39,7 +39,7 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
         # remove it first.
         secrets_file = self._get_config_filename('ipsec.secrets')
         if os.path.exists(secrets_file):
-            os.remove(secrets_file)
+            self._execute(['rm', '-f', secrets_file])
 
         super(LibreSwanProcess, self).ensure_configs()
 

neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py

@@ -1408,13 +1408,15 @@ class TestLibreSwanProcess(base.BaseTestCase):
                                                        self.vpnservice,
                                                        mock.ANY)
 
-    @mock.patch('os.remove')
     @mock.patch('os.path.exists', return_value=True)
-    def test_ensure_configs_on_restart(self, exists_mock, remove_mock):
+    def test_ensure_configs_on_restart(self, exists_mock):
         openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
         with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
             self.ipsec_process.ensure_configs()
-            expected = [mock.call(['chown', '--from=%s' % os.getuid(),
+            expected = [mock.call(['rm', '-f',
+                                   self.ipsec_process._get_config_filename(
+                                       'ipsec.secrets')]),
+                        mock.call(['chown', '--from=%s' % os.getuid(),
                                    'root:root',
                                    self.ipsec_process._get_config_filename(
                                        'ipsec.secrets')]),
@@ -1422,13 +1424,11 @@ class TestLibreSwanProcess(base.BaseTestCase):
                         mock.call(['ipsec', 'checknss',
                                    self.ipsec_process.etc_dir])]
             fake_execute.assert_has_calls(expected)
-            self.assertEqual(3, fake_execute.call_count)
+            self.assertEqual(4, fake_execute.call_count)
             self.assertTrue(exists_mock.called)
-            self.assertTrue(remove_mock.called)
 
-    @mock.patch('os.remove')
     @mock.patch('os.path.exists', return_value=False)
-    def test_ensure_configs(self, exists_mock, remove_mock):
+    def test_ensure_configs(self, exists_mock):
         openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
         with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
             self.ipsec_process.ensure_configs()
@@ -1442,10 +1442,8 @@ class TestLibreSwanProcess(base.BaseTestCase):
             fake_execute.assert_has_calls(expected)
             self.assertEqual(3, fake_execute.call_count)
             self.assertTrue(exists_mock.called)
-            self.assertFalse(remove_mock.called)
 
         exists_mock.reset_mock()
-        remove_mock.reset_mock()
 
         with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
             fake_execute.side_effect = [None, None, RuntimeError, None]
@@ -1462,7 +1460,6 @@ class TestLibreSwanProcess(base.BaseTestCase):
             fake_execute.assert_has_calls(expected)
             self.assertEqual(4, fake_execute.call_count)
             self.assertTrue(exists_mock.called)
-            self.assertFalse(remove_mock.called)
 
 
 class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):