Add rotate-admin-password functional test

Add a functional test that verifies the rotate-admin-password action in the keystone charm. Relevant patch in the charm-keystone repo: https://review.opendev.org/c/openstack/charm-keystone/+/832665
openstack-charmers · Mar 14, 2022 · fc7e903 · fc7e903
1 parent acaeb62
commit fc7e903
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py
@@ -150,6 +150,47 @@ def test_key_distribution_and_rotation(self):
                              .format(pprint.pformat(unit_repo),
                                      pprint.pformat(lead_repo)))
 
+    def test_rotate_admin_password(self):
+        """Verify action used to rotate admin user's password."""
+        ADMIN_PASSWD = 'admin_passwd'
+        old_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD)
+
+        # test access using the old password
+        with self.v3_keystone_preferred():
+            for ip in self.keystone_ips:
+                try:
+                    ks_session = openstack_utils.get_keystone_session(
+                        openstack_utils.get_overcloud_auth(address=ip))
+                    ks_client = openstack_utils.get_keystone_session_client(
+                        ks_session)
+                    ks_client.users.list()
+                except keystoneauth1.exceptions.http.Forbidden:
+                    raise zaza_exceptions.KeystoneAuthorizationStrict(
+                        'Keystone auth with old password FAILED.')
+
+        # run the action to rotate the password
+        zaza.model.run_action_on_leader(
+            self.application_name,
+            'rotate-admin-password',
+        )
+
+        # test access using the new password
+        with self.v3_keystone_preferred():
+            for ip in self.keystone_ips:
+                try:
+                    ks_session = openstack_utils.get_keystone_session(
+                        openstack_utils.get_overcloud_auth(address=ip))
+                    ks_client = openstack_utils.get_keystone_session_client(
+                        ks_session)
+                    ks_client.users.list()
+                except keystoneauth1.exceptions.http.Forbidden:
+                    raise zaza_exceptions.KeystoneAuthorizationStrict(
+                        'Keystone auth with new password FAILED.')
+
+        # make sure the password was actually changed
+        new_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD)
+        assert old_passwd != new_passwd
+
 
 class AuthenticationAuthorizationTest(BaseKeystoneTest):
     """Keystone authentication and authorization tests."""