~openstack-charmers-next/charms/xenial/nova-compute/trunk

Viewing changes to tests/charmhelpers/contrib/openstack/amulet/utils.py

Committer: Edward Hope-Morley
Date: 2016-03-24 11:18:41 UTC
mto: This revision was merged to the branch mainline in revision 211.
Revision ID: edward.hope-morley@canonical.com-20160324111841-99ruo5hjzrpqktlx

Add hardening support

Add charmhelpers.contrib.hardening and calls to install,
config-changed, upgrade-charm and update-status hooks.
Also add new config option to allow one or more hardening
modules to be applied at runtime.

Change-Id: I525c15a14662175f2a68cdcd25a3ab2c92237850

files added:
hardening.yaml

hooks/charmhelpers/contrib/hardening

hooks/charmhelpers/contrib/hardening/README.hardening.md

hooks/charmhelpers/contrib/hardening/__init__.py

hooks/charmhelpers/contrib/hardening/apache

hooks/charmhelpers/contrib/hardening/apache/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks

hooks/charmhelpers/contrib/hardening/apache/checks/__init__.py

hooks/charmhelpers/contrib/hardening/apache/checks/config.py

hooks/charmhelpers/contrib/hardening/apache/templates

hooks/charmhelpers/contrib/hardening/apache/templates/__init__.py

hooks/charmhelpers/contrib/hardening/apache/templates/alias.conf

hooks/charmhelpers/contrib/hardening/apache/templates/hardening.conf

hooks/charmhelpers/contrib/hardening/audits

hooks/charmhelpers/contrib/hardening/audits/__init__.py

hooks/charmhelpers/contrib/hardening/audits/apache.py

hooks/charmhelpers/contrib/hardening/audits/apt.py

hooks/charmhelpers/contrib/hardening/audits/file.py

hooks/charmhelpers/contrib/hardening/defaults

hooks/charmhelpers/contrib/hardening/defaults/__init__.py

hooks/charmhelpers/contrib/hardening/defaults/apache.yaml

hooks/charmhelpers/contrib/hardening/defaults/apache.yaml.schema

hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml

hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema

hooks/charmhelpers/contrib/hardening/defaults/os.yaml

hooks/charmhelpers/contrib/hardening/defaults/os.yaml.schema

hooks/charmhelpers/contrib/hardening/defaults/ssh.yaml

hooks/charmhelpers/contrib/hardening/defaults/ssh.yaml.schema

hooks/charmhelpers/contrib/hardening/harden.py

hooks/charmhelpers/contrib/hardening/host

hooks/charmhelpers/contrib/hardening/host/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks

hooks/charmhelpers/contrib/hardening/host/checks/__init__.py

hooks/charmhelpers/contrib/hardening/host/checks/apt.py

hooks/charmhelpers/contrib/hardening/host/checks/limits.py

hooks/charmhelpers/contrib/hardening/host/checks/login.py

hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py

hooks/charmhelpers/contrib/hardening/host/checks/pam.py

hooks/charmhelpers/contrib/hardening/host/checks/profile.py

hooks/charmhelpers/contrib/hardening/host/checks/securetty.py

hooks/charmhelpers/contrib/hardening/host/checks/suid_sgid.py

hooks/charmhelpers/contrib/hardening/host/checks/sysctl.py

hooks/charmhelpers/contrib/hardening/host/templates

hooks/charmhelpers/contrib/hardening/host/templates/10.hardcore.conf

hooks/charmhelpers/contrib/hardening/host/templates/99-juju-hardening.conf

hooks/charmhelpers/contrib/hardening/host/templates/__init__.py

hooks/charmhelpers/contrib/hardening/host/templates/login.defs

hooks/charmhelpers/contrib/hardening/host/templates/modules

hooks/charmhelpers/contrib/hardening/host/templates/passwdqc.conf

hooks/charmhelpers/contrib/hardening/host/templates/pinerolo_profile.sh

hooks/charmhelpers/contrib/hardening/host/templates/securetty

hooks/charmhelpers/contrib/hardening/host/templates/tally2

hooks/charmhelpers/contrib/hardening/mysql

hooks/charmhelpers/contrib/hardening/mysql/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks

hooks/charmhelpers/contrib/hardening/mysql/checks/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/checks/config.py

hooks/charmhelpers/contrib/hardening/mysql/templates

hooks/charmhelpers/contrib/hardening/mysql/templates/__init__.py

hooks/charmhelpers/contrib/hardening/mysql/templates/hardening.cnf

hooks/charmhelpers/contrib/hardening/ssh

hooks/charmhelpers/contrib/hardening/ssh/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks

hooks/charmhelpers/contrib/hardening/ssh/checks/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/checks/config.py

hooks/charmhelpers/contrib/hardening/ssh/templates

hooks/charmhelpers/contrib/hardening/ssh/templates/__init__.py

hooks/charmhelpers/contrib/hardening/ssh/templates/ssh_config

hooks/charmhelpers/contrib/hardening/ssh/templates/sshd_config

hooks/charmhelpers/contrib/hardening/templating.py

hooks/charmhelpers/contrib/hardening/utils.py

hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken-legacy

files modified:
charm-helpers-hooks.yaml

config.yaml

hooks/charmhelpers/contrib/openstack/amulet/utils.py

hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken

hooks/charmhelpers/contrib/openstack/utils.py

hooks/charmhelpers/contrib/storage/linux/ceph.py

hooks/charmhelpers/core/hookenv.py

hooks/charmhelpers/core/host.py

hooks/nova_compute_hooks.py

tests/charmhelpers/contrib/amulet/utils.py

tests/charmhelpers/contrib/openstack/amulet/utils.py

unit_tests/test_actions_git_reinstall.py

unit_tests/test_nova_compute_hooks.py

Show diffs side-by-side

added added

removed removed

tests/charmhelpers/contrib/openstack/amulet/utils.py

import glanceclient.v1.client as glance_client

import heatclient.v1.client as heat_client

import keystoneclient.v2_0 as keystone_client

import novaclient.v1_1.client as nova_client

from keystoneclient.auth.identity import v3 as keystone_id_v3

from keystoneclient import session as keystone_session

from keystoneclient.v3 import client as keystone_client_v3

import novaclient.client as nova_client

import pika

import swiftclient

DEBUG = logging.DEBUG

ERROR = logging.ERROR

NOVA_CLIENT_VERSION = "2"

class OpenStackAmuletUtils(AmuletUtils):

"""OpenStack amulet utilities.

139

145

return "role {} does not exist".format(e['name'])

140

146

return ret

141

147

142

def validate_user_data(self, expected, actual):

148

def validate_user_data(self, expected, actual, api_version=None):

143

149

"""Validate user data.

144

150

145

151

Validate a list of actual user data vs a list of expected user

150

156

for e in expected:

151

157

found = False

152

158

for act in actual:

153

a = {'enabled': act.enabled, 'name': act.name,

154

'email': act.email, 'tenantId': act.tenantId,

155

'id': act.id}

156

if e['name'] == a['name']:

159

if e['name'] == act.name:

160

a = {'enabled': act.enabled, 'name': act.name,

161

'email': act.email, 'id': act.id}

162

if api_version == 3:

163

a['default_project_id'] = getattr(act,

164

'default_project_id',

165

'none')

166

else:

167

a['tenantId'] = act.tenantId

157

168

found = True

158

169

ret = self._validate_dict_data(e, a)

159

170

if ret:

188

199

return cinder_client.Client(username, password, tenant, ept)

189

200

190

201

def authenticate_keystone_admin(self, keystone_sentry, user, password,

191

tenant):

202

tenant=None, api_version=None,

203

keystone_ip=None):

192

204

"""Authenticates admin user with the keystone admin endpoint."""

193

205

self.log.debug('Authenticating keystone admin...')

194

206

unit = keystone_sentry

195

service_ip = unit.relation('shared-db',

196

'mysql:shared-db')['private-address']

197

ep = "http://{}:35357/v2.0".format(service_ip.strip().decode('utf-8'))

198

return keystone_client.Client(username=user, password=password,

199

tenant_name=tenant, auth_url=ep)

207

if not keystone_ip:

208

keystone_ip = unit.relation('shared-db',

209

'mysql:shared-db')['private-address']

210

base_ep = "http://{}:35357".format(keystone_ip.strip().decode('utf-8'))

211

if not api_version or api_version == 2:

212

ep = base_ep + "/v2.0"

213

return keystone_client.Client(username=user, password=password,

214

tenant_name=tenant, auth_url=ep)

215

else:

216

ep = base_ep + "/v3"

217

auth = keystone_id_v3.Password(

218

user_domain_name='admin_domain',

219

username=user,

220

password=password,

221

domain_name='admin_domain',

222

auth_url=ep,

223

)

224

sess = keystone_session.Session(auth=auth)

225

return keystone_client_v3.Client(session=sess)

200

226

201

227

def authenticate_keystone_user(self, keystone, user, password, tenant):

202

228

"""Authenticates a regular user with the keystone public endpoint."""

225

251

self.log.debug('Authenticating nova user ({})...'.format(user))

226

252

ep = keystone.service_catalog.url_for(service_type='identity',

227

253

endpoint_type='publicURL')

228

return nova_client.Client(username=user, api_key=password,

254

return nova_client.Client(NOVA_CLIENT_VERSION,

255

username=user, api_key=password,

229

256

project_id=tenant, auth_url=ep)

230

257

231

258

def authenticate_swift_user(self, keystone, user, password, tenant):

Older »