1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
"""Integration tests for cc_ca_certs.
(This is ported from ``tests/cloud_tests//testcases/modules/ca_certs.yaml``.)
TODO:
* Mark this as running on Debian and Alpine (once we have marks for that)
* Implement testing for the RHEL-specific paths
"""
import os.path
import pytest
from tests.integration_tests.instances import IntegrationInstance
from tests.integration_tests.releases import IS_UBUNTU
from tests.integration_tests.util import get_inactive_modules, verify_clean_log
USER_DATA = """\
#cloud-config
ca_certs:
remove_defaults: true
trusted:
- |
-----BEGIN CERTIFICATE-----
MIIGJzCCBA+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBsjELMAkGA1UEBhMCRlIx
DzANBgNVBAgMBkFsc2FjZTETMBEGA1UEBwwKU3RyYXNib3VyZzEYMBYGA1UECgwP
d3d3LmZyZWVsYW4ub3JnMRAwDgYDVQQLDAdmcmVlbGFuMS0wKwYDVQQDDCRGcmVl
bGFuIFNhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgkqhkiG9w0BCQEW
E2NvbnRhY3RAZnJlZWxhbi5vcmcwHhcNMTIwNDI3MTAzMTE4WhcNMjIwNDI1MTAz
MTE4WjB+MQswCQYDVQQGEwJGUjEPMA0GA1UECAwGQWxzYWNlMRgwFgYDVQQKDA93
d3cuZnJlZWxhbi5vcmcxEDAOBgNVBAsMB2ZyZWVsYW4xDjAMBgNVBAMMBWFsaWNl
MSIwIAYJKoZIhvcNAQkBFhNjb250YWN0QGZyZWVsYW4ub3JnMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEA3W29+ID6194bH6ejLrIC4hb2Ugo8v6ZC+Mrc
k2dNYMNPjcOKABvxxEtBamnSaeU/IY7FC/giN622LEtV/3oDcrua0+yWuVafyxmZ
yTKUb4/GUgafRQPf/eiX9urWurtIK7XgNGFNUjYPq4dSJQPPhwCHE/LKAykWnZBX
RrX0Dq4XyApNku0IpjIjEXH+8ixE12wH8wt7DEvdO7T3N3CfUbaITl1qBX+Nm2Z6
q4Ag/u5rl8NJfXg71ZmXA3XOj7zFvpyapRIZcPmkvZYn7SMCp8dXyXHPdpSiIWL2
uB3KiO4JrUYvt2GzLBUThp+lNSZaZ/Q3yOaAAUkOx+1h08285Pi+P8lO+H2Xic4S
vMq1xtLg2bNoPC5KnbRfuFPuUD2/3dSiiragJ6uYDLOyWJDivKGt/72OVTEPAL9o
6T2pGZrwbQuiFGrGTMZOvWMSpQtNl+tCCXlT4mWqJDRwuMGrI4DnnGzt3IKqNwS4
Qyo9KqjMIPwnXZAmWPm3FOKe4sFwc5fpawKO01JZewDsYTDxVj+cwXwFxbE2yBiF
z2FAHwfopwaH35p3C6lkcgP2k/zgAlnBluzACUI+MKJ/G0gv/uAhj1OHJQ3L6kn1
SpvQ41/ueBjlunExqQSYD7GtZ1Kg8uOcq2r+WISE3Qc9MpQFFkUVllmgWGwYDuN3
Zsez95kCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT
TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFlfyRO6G8y5qEFKikl5
ajb2fT7XMB8GA1UdIwQYMBaAFCNsLT0+KV14uGw+quK7Lh5sh/JTMA0GCSqGSIb3
DQEBBQUAA4ICAQAT5wJFPqervbja5+90iKxi1d0QVtVGB+z6aoAMuWK+qgi0vgvr
mu9ot2lvTSCSnRhjeiP0SIdqFMORmBtOCFk/kYDp9M/91b+vS+S9eAlxrNCB5VOf
PqxEPp/wv1rBcE4GBO/c6HcFon3F+oBYCsUQbZDKSSZxhDm3mj7pb67FNbZbJIzJ
70HDsRe2O04oiTx+h6g6pW3cOQMgIAvFgKN5Ex727K4230B0NIdGkzuj4KSML0NM
slSAcXZ41OoSKNjy44BVEZv0ZdxTDrRM4EwJtNyggFzmtTuV02nkUj1bYYYC5f0L
ADr6s0XMyaNk8twlWYlYDZ5uKDpVRVBfiGcq0uJIzIvemhuTrofh8pBQQNkPRDFT
Rq1iTo1Ihhl3/Fl1kXk1WR3jTjNb4jHX7lIoXwpwp767HAPKGhjQ9cFbnHMEtkro
RlJYdtRq5mccDtwT0GFyoJLLBZdHHMHJz0F9H7FNk2tTQQMhK5MVYwg+LIaee586
CQVqfbscp7evlgjLW98H+5zylRHAgoH2G79aHljNKMp9BOuq6SnEglEsiWGVtu2l
hnx8SB3sVJZHeer8f/UQQwqbAO+Kdy70NmbSaqaVtp8jOxLiidWkwSyRTsuU6D8i
DiH5uEqBXExjrj0FslxcVKdVj5glVcSmkLwZKbEU1OKwleT/iXFhvooWhQ==
-----END CERTIFICATE-----
"""
@pytest.mark.skipif(
not IS_UBUNTU, reason="CA cert functionality is distro specific"
)
@pytest.mark.user_data(USER_DATA)
class TestCaCerts:
def test_certs_updated(self, class_client: IntegrationInstance):
"""Test that /etc/ssl/certs is updated as we expect."""
root = "/etc/ssl/certs"
filenames = class_client.execute(["ls", "-1", root]).splitlines()
unlinked_files = []
links = {}
for filename in filenames:
full_path = os.path.join(root, filename)
symlink_target = class_client.execute(["readlink", full_path])
is_symlink = symlink_target.ok
if is_symlink:
links[filename] = symlink_target
else:
unlinked_files.append(filename)
assert ["ca-certificates.crt"] == unlinked_files
assert "cloud-init-ca-cert-1.pem" == links["a535c1f3.0"]
assert (
"/usr/local/share/ca-certificates/cloud-init-ca-cert-1.crt"
== links["cloud-init-ca-cert-1.pem"]
)
def test_cert_installed(self, class_client: IntegrationInstance):
"""Test that our specified cert has been installed"""
checksum = class_client.execute(
"sha256sum /etc/ssl/certs/ca-certificates.crt"
)
assert (
"78e875f18c73c1aab9167ae0bd323391e52222cc2dbcda42d129537219300062"
in checksum
)
def test_clean_log(self, class_client: IntegrationInstance):
"""Verify no errors, no deprecations and correct inactive modules in
log.
"""
log = class_client.read_from_file("/var/log/cloud-init.log")
verify_clean_log(log, ignore_deprecations=False)
expected_inactive = {
"apt-pipelining",
"ansible",
"bootcmd",
"chef",
"disable-ec2-metadata",
"disk_setup",
"fan",
"keyboard",
"landscape",
"lxd",
"mcollective",
"ntp",
"package-update-upgrade-install",
"phone-home",
"power-state-change",
"puppet",
"rsyslog",
"runcmd",
"salt-minion",
"snap",
"timezone",
"ubuntu_autoinstall",
"ubuntu-advantage",
"ubuntu-drivers",
"update_etc_hosts",
"wireguard",
"write-files",
"write-files-deferred",
}
# Remove modules that run independent from user-data
if class_client.settings.PLATFORM == "azure":
expected_inactive.discard("disk_setup")
elif class_client.settings.PLATFORM == "gce":
expected_inactive.discard("ntp")
elif class_client.settings.PLATFORM == "lxd_vm":
if class_client.settings.OS_IMAGE == "bionic":
expected_inactive.discard("write-files")
expected_inactive.discard("write-files-deferred")
diff = expected_inactive.symmetric_difference(
get_inactive_modules(log)
)
assert (
not diff
), f"Expected inactive modules do not match, diff: {diff}"
|
