Codebase list cinder-tempest-plugin / ec47ff7 cinder_tempest_plugin / scenario / test_encrypted_volume_transfer.py
ec47ff7

Tree @ec47ff7 (Download .tar.gz)

test_encrypted_volume_transfer.py @ec47ff7raw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
# Copyright 2022 Red Hat, Inc.
# All rights reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from tempest.common import utils
from tempest.common import waiters
from tempest import config
from tempest.lib import decorators
from tempest.scenario import manager

CONF = config.CONF


class TransferEncryptedVolumeTest(manager.EncryptionScenarioTest):

    volume_min_microversion = '3.70'
    volume_max_microversion = 'latest'

    credentials = ['primary', 'alt', 'admin']

    @classmethod
    def setup_clients(cls):
        super(TransferEncryptedVolumeTest, cls).setup_clients()

        # We need the "mv355" volume transfers client
        cls.client = cls.os_primary.volume_transfers_mv355_client_latest
        cls.alt_client = cls.os_alt.volume_transfers_mv355_client_latest
        cls.alt_volumes_client = cls.os_alt.volumes_client_latest

    @classmethod
    def skip_checks(cls):
        super(TransferEncryptedVolumeTest, cls).skip_checks()
        if not CONF.service_available.barbican:
            raise cls.skipException('Barbican is required')

    def setUp(self):
        super(TransferEncryptedVolumeTest, self).setUp()
        self.keypair = self.create_keypair()
        self.security_group = self.create_security_group()

    def _create_encrypted_volume_from_image(self):
        volume_type = self.create_volume_type()
        self.create_encryption_type(type_id=volume_type['id'],
                                    provider='luks',
                                    key_size=256,
                                    cipher='aes-xts-plain64',
                                    control_location='front-end')
        return self.create_volume_from_image(volume_type=volume_type['id'])

    def _create_or_get_timestamp(self, volume, timestamp_fn):
        server = self.boot_instance_from_resource(
            source_id=volume['id'],
            source_type='volume',
            keypair=self.keypair,
            security_group=self.security_group)
        server_ip = self.get_server_ip(server)
        timestamp = timestamp_fn(server_ip,
                                 private_key=self.keypair['private_key'],
                                 server=server)
        self.servers_client.delete_server(server['id'])
        waiters.wait_for_server_termination(self.servers_client, server['id'])
        return timestamp

    def _create_transfer(self, volume, transfer_client, volumes_client):
        body = transfer_client.create_volume_transfer(volume_id=volume['id'])
        transfer = body['transfer']
        waiters.wait_for_volume_resource_status(volumes_client,
                                                volume['id'],
                                                'awaiting-transfer')
        return transfer

    def _accept_transfer(self, transfer, transfer_client, volumes_client):
        _ = transfer_client.accept_volume_transfer(
            transfer['id'], auth_key=transfer['auth_key'])
        waiters.wait_for_volume_resource_status(volumes_client,
                                                transfer['volume_id'],
                                                'available')

    def _delete_transfer(self, transfer, transfer_client, volumes_client):
        _ = transfer_client.delete_volume_transfer(transfer['id'])
        waiters.wait_for_volume_resource_status(volumes_client,
                                                transfer['volume_id'],
                                                'available')

    @decorators.idempotent_id('a694dc4d-d11b-45cb-b268-62e76cc1b4f4')
    @utils.services('compute', 'volume', 'image', 'network')
    def test_create_accept_volume_transfer(self):
        """Verify the ability to transfer an encrypted volume:

        * Create an encrypted volume from image
        * Boot an instance from the volume and write a timestamp
        * Transfer the volume to another project, then transfer it back
          again to the original project (see comments in the code for why
          this is done).
        * Boot annother instance from the volume and read the timestamp
        * Verify the timestamps match, and the volume has a new
          encryption_key_id.
        """

        # Create a bootable encrypted volume.
        volume = self._create_encrypted_volume_from_image()

        # Create an instance from the volume and write a timestamp.
        timestamp_1 = self._create_or_get_timestamp(volume,
                                                    self.create_timestamp)

        # Transfer the volume to another project.
        transfer = self._create_transfer(volume,
                                         self.client,
                                         self.volumes_client)
        self._accept_transfer(transfer,
                              self.alt_client,
                              self.alt_volumes_client)

        # Transfer the volume back to the original project. This is done
        # only because it's awkward in tempest to boot an instance and
        # access it (to read the timestamp) in another project without
        # setting up another security group and group rules.
        transfer = self._create_transfer(volume,
                                         self.alt_client,
                                         self.alt_volumes_client)
        self._accept_transfer(transfer, self.client, self.volumes_client)

        # Create another instance from the volume and read the timestamp.
        timestamp_2 = self._create_or_get_timestamp(volume,
                                                    self.get_timestamp)

        self.assertEqual(timestamp_1, timestamp_2)

        # Verify the volume has a new encryption_key_id.
        encryption_key_id_1 = volume['encryption_key_id']
        volume = self.volumes_client.show_volume(volume['id'])['volume']
        encryption_key_id_2 = volume['encryption_key_id']

        self.assertNotEqual(encryption_key_id_1, encryption_key_id_2)

    @decorators.idempotent_id('00c04d27-b3c6-454c-a0b4-223a195c4a89')
    @utils.services('compute', 'volume', 'image', 'network')
    def test_create_delete_volume_transfer(self):
        """Verify the ability to cancel an encrypted volume transfer:

        * Create an encrypted volume from image
        * Boot an instance from the volume and write a timestamp
        * Create and delete a volume transfer
        * Boot annother instance from the volume and read the timestamp
        * Verify the timestamps match, and the volume has a new
          encryption_key_id.
        """

        # Create a bootable encrypted volume.
        volume = self._create_encrypted_volume_from_image()

        # Create an instance from the volume and write a timestamp.
        timestamp_1 = self._create_or_get_timestamp(volume,
                                                    self.create_timestamp)

        # Create and then delete a transfer of the volume
        transfer = self._create_transfer(volume,
                                         self.client,
                                         self.volumes_client)
        self._delete_transfer(transfer, self.client, self.volumes_client)

        # Create another instance from the volume and read the timestamp.
        timestamp_2 = self._create_or_get_timestamp(volume,
                                                    self.get_timestamp)

        self.assertEqual(timestamp_1, timestamp_2)

        # Verify the volume has a new encryption_key_id.
        encryption_key_id_1 = volume['encryption_key_id']
        volume = self.volumes_client.show_volume(volume['id'])['volume']
        encryption_key_id_2 = volume['encryption_key_id']

        self.assertNotEqual(encryption_key_id_1, encryption_key_id_2)