This patch expands the testing of SSH key renewal by changing the key type existing on a cluster during the QA.
Signed-off-by: Hrvoje Ribicic <[email protected]> --- qa/qa_cluster.py | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 3 deletions(-) diff --git a/qa/qa_cluster.py b/qa/qa_cluster.py index 1ad2fb9..941967c 100644 --- a/qa/qa_cluster.py +++ b/qa/qa_cluster.py @@ -1195,6 +1195,56 @@ def _AssertSsconfCertFiles(): " '%s'." % (node, first_node)) +def _TestSSHKeyChanges(master_node): + """Tests a lot of SSH key type- and size- related functionality. + + @type master_node: string + @param master_node: The cluster master. + + """ + # Helper fn to avoid specifying base params too many times + def _RenewWithParams(new_params, verify=True, fail=False): + AssertCommand(["gnt-cluster", "renew-crypto", "--new-ssh-keys", "-f", + "--no-ssh-key-check"] + new_params, fail=fail) + if not fail and verify: + AssertCommand(["gnt-cluster", "verify"]) + + # And the actual tests + with qa_config.AcquireManyNodesCtx(1, exclude=[master_node]) as nodes: + node_name = nodes[0].primary + + # Another helper function for checking whether a specific key can log in + def _CheckLoginWithKey(key_path, fail=False): + AssertCommand(["ssh", "-oIdentityFile=%s" % key_path, "-oBatchMode=yes", + "-oStrictHostKeyChecking=no", "-oIdentitiesOnly=yes", + "-F/dev/null", node_name, "true"], + fail=fail, forward_agent=False) + + # First test the simplest change + _RenewWithParams([]) + + _RenewWithParams(["--ssh-key-type=dsa"]) + _CheckLoginWithKey(".ssh/id_dsa") + # Stash the key for now + old_key_backup = qa_utils.BackupFile(master_node.primary, ".ssh/id_dsa") + + try: + _RenewWithParams(["--ssh-key-type=rsa"]) + _CheckLoginWithKey(".ssh/id_rsa") + # And check that we cannot log in with the old key + _CheckLoginWithKey(old_key_backup, fail=True) + finally: + AssertCommand(["rm", "-f", old_key_backup]) + + _RenewWithParams(["--ssh-key-bits=4096"]) + _RenewWithParams(["--ssh-key-bits=521"], fail=True) + + # Restore the cluster to its pristine state, skipping the verify as we did + # way too many already + _RenewWithParams(["--ssh-key-type=rsa", "--ssh-key-bits=2048"], + verify=False) + + def TestClusterRenewCrypto(): """gnt-cluster renew-crypto""" master = qa_config.GetMasterNode() @@ -1266,9 +1316,8 @@ def TestClusterRenewCrypto(): _AssertSsconfCertFiles() AssertCommand(["gnt-cluster", "verify"]) - # Only renew SSH keys - AssertCommand(["gnt-cluster", "renew-crypto", "--force", - "--new-ssh-keys", "--no-ssh-key-check"]) + # Comprehensively test various types of SSH key changes + _TestSSHKeyChanges(master) # Restore RAPI certificate AssertCommand(["gnt-cluster", "renew-crypto", "--force", -- 2.6.0.rc2.230.g3dd15c0
