Skip to content

Commit

Permalink
tests: Remove trust password
Browse files Browse the repository at this point in the history
Signed-off-by: Stéphane Graber <[email protected]>
(cherry picked from commit a47d14fdeac0d2fb4544553b7a4973e62816a68d)
Signed-off-by: Julian Pelizäus <[email protected]>
License: Apache-2.0
  • Loading branch information
stgraber authored and roosterfish committed Jun 12, 2024
1 parent a33caf0 commit a840f8b
Show file tree
Hide file tree
Showing 22 changed files with 172 additions and 270 deletions.
3 changes: 0 additions & 3 deletions test/extras/stresstest.sh
Original file line number Diff line number Diff line change
Expand Up @@ -102,9 +102,6 @@ spawn_lxd() {

echo "==> Binding to network"
LXD_DIR="$lxddir" lxc config set core.https_address "$addr"

echo "==> Setting trust password"
LXD_DIR="$lxddir" lxc config set core.trust_password foo
}

spawn_lxd 127.0.0.1:18443 "$LXD_DIR"
Expand Down
97 changes: 2 additions & 95 deletions test/includes/clustering.sh
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,6 @@ spawn_lxd_and_bootstrap_cluster() {

cat > "${LXD_DIR}/preseed.yaml" <<EOF
config:
core.trust_password: sekret
core.https_address: 10.1.1.101:8443
EOF
if [ "${port}" != "" ]; then
Expand Down Expand Up @@ -202,97 +201,6 @@ spawn_lxd_and_join_cluster() {
# shellcheck disable=SC2039,SC3043
local LXD_NETNS

set -e
ns="${1}"
bridge="${2}"
cert="${3}"
index="${4}"
target="${5}"
LXD_DIR="${6}"
driver="dir"
port="8443"
if [ "$#" -ge "7" ]; then
driver="${7}"
fi
if [ "$#" -ge "8" ]; then
port="${8}"
fi

echo "==> Spawn additional cluster node in ${ns} with storage driver ${driver}"
secret="${LXD_SECRET:-"sekret"}"

LXD_NETNS="${ns}" spawn_lxd "${LXD_DIR}" false
(
set -e

# If a custom cluster port was given, we need to first set the REST
# API address.
if [ "${port}" != "8443" ]; then
lxc config set core.https_address "10.1.1.10${index}:8443"
fi

cat > "${LXD_DIR}/preseed.yaml" <<EOF
cluster:
enabled: true
server_name: node${index}
server_address: 10.1.1.10${index}:${port}
cluster_address: 10.1.1.10${target}:8443
cluster_certificate: "$cert"
cluster_password: ${secret}
member_config:
EOF
# Declare the pool only if the driver is not ceph, because
# the ceph pool doesn't need to be created on the joining
# node (it's shared with the bootstrap one).
if [ "${driver}" != "ceph" ]; then
cat >> "${LXD_DIR}/preseed.yaml" <<EOF
- entity: storage-pool
name: data
key: source
value: ""
EOF
if [ "${driver}" = "zfs" ]; then
cat >> "${LXD_DIR}/preseed.yaml" <<EOF
- entity: storage-pool
name: data
key: zfs.pool_name
value: lxdtest-$(basename "${TEST_DIR}")-${ns}
- entity: storage-pool
name: data
key: size
value: 1GiB
EOF
fi
if [ "${driver}" = "lvm" ]; then
cat >> "${LXD_DIR}/preseed.yaml" <<EOF
- entity: storage-pool
name: data
key: lvm.vg_name
value: lxdtest-$(basename "${TEST_DIR}")-${ns}
- entity: storage-pool
name: data
key: size
value: 1GiB
EOF
fi
if [ "${driver}" = "btrfs" ]; then
cat >> "${LXD_DIR}/preseed.yaml" <<EOF
- entity: storage-pool
name: data
key: size
value: 1GiB
EOF
fi
fi

lxd init --preseed < "${LXD_DIR}/preseed.yaml"
)
}

spawn_lxd_and_join_cluster_with_token() {
# shellcheck disable=SC2039,SC3043
local LXD_NETNS

set -e
ns="${1}"
bridge="${2}"
Expand All @@ -308,14 +216,13 @@ spawn_lxd_and_join_cluster_with_token() {
driver="dir"
port="8443"
if [ "$#" -ge "8" ]; then
driver="${8}"
driver="${8}"
fi
if [ "$#" -ge "9" ]; then
port="${9}"
port="${9}"
fi

echo "==> Spawn additional cluster node in ${ns} with storage driver ${driver}"
secret="${LXD_SECRET:-"sekret"}"

LXD_NETNS="${ns}" spawn_lxd "${LXD_DIR}" false
(
Expand Down
2 changes: 0 additions & 2 deletions test/includes/lxd.sh
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,6 @@ spawn_lxd() {
done
fi

echo "==> Setting trust password"
LXD_DIR="${lxddir}" lxc config set core.trust_password foo
if [ -n "${DEBUG:-}" ]; then
set -x
fi
Expand Down
3 changes: 2 additions & 1 deletion test/includes/setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ ensure_has_localhost_remote() {
# shellcheck disable=SC2039,3043
local addr="${1}"
if ! lxc remote list | grep -q "localhost"; then
lxc remote add localhost "https://${addr}" --accept-certificate --password foo
token="$(lxc config trust add --name foo -q)"
lxc remote add localhost "https://${addr}" --accept-certificate --token "${token}"
fi
}

Expand Down
19 changes: 5 additions & 14 deletions test/suites/auth.sh
Original file line number Diff line number Diff line change
Expand Up @@ -225,31 +225,22 @@ fine_grained_authorization() {
lxc auth group permission remove test-group server can_view_warnings

# Check we are not able to view any server config currently.
# Here we explicitly use two settings that contain actual passwords.
lxc config set core.trust_password foo2
lxc config set loki.auth.password bar2
# Here we explicitly a setting that contains an actual password.
lxc config set loki.auth.password bar
[ "$(lxc_remote query oidc:/1.0 | jq '.config | length')" = 0 ]
[ "$(lxc_remote query oidc:/1.0 | jq -r '.config."core.trust_password"')" = "null" ]
[ "$(lxc_remote query oidc:/1.0 | jq -r '.config."loki.auth.password"')" = "null" ]

# Check we are not able to set any server config currently.
! lxc_remote config set oidc: core.trust_password foo3 || false
! lxc_remote config set oidc: loki.auth.password bar3 || false
! lxc_remote config set oidc: loki.auth.password bar2 || false

# Add "can_edit" permission to group.
lxc auth group permission add test-group server can_edit

# Check we can view the server's config.
# As the core.trust_password is stored as scrypt value together with its hash, we cannot easily compare it against the original value.
[ "$(lxc_remote query oidc:/1.0 | jq -r '.config."core.trust_password"')" != "null" ]
[ "$(lxc_remote query oidc:/1.0 | jq -r '.config."loki.auth.password"')" = "bar2" ]
[ "$(lxc_remote query oidc:/1.0 | jq -r '.config."loki.auth.password"')" = "bar" ]

# Check we can modify the server's config.
lxc_remote config set oidc: core.trust_password foo3
lxc_remote config set oidc: loki.auth.password bar3

# Reset the trust password to prevent side effects.
lxc config set core.trust_password foo
lxc_remote config set oidc: loki.auth.password bar2

lxc auth group permission remove test-group server can_edit
lxc config unset loki.auth.password
Expand Down
6 changes: 3 additions & 3 deletions test/suites/basic.sh
Original file line number Diff line number Diff line change
Expand Up @@ -656,11 +656,9 @@ test_basic_usage() {

# Test rebuilding an instance with a new image.
lxc init c1 --empty
lxc remote add l1 "${LXD_ADDR}" --accept-certificate --password foo
lxc rebuild l1:testimage c1
lxc rebuild testimage c1
lxc start c1
lxc delete c1 -f
lxc remote remove l1

# Test rebuilding an instance with an empty file system.
lxc init testimage c1
Expand All @@ -680,6 +678,8 @@ test_basic_usage() {
lxc launch testimage c2
lxc launch testimage c3

fingerprint="$(lxc config trust ls --format csv | cut -d, -f4)"
lxc config trust remove "${fingerprint}"
lxc delete -f c1 c2 c3
remaining_instances="$(lxc list --format csv)"
[ -z "${remaining_instances}" ]
Expand Down
Loading

0 comments on commit a840f8b

Please sign in to comment.