From 3919df67ac2a5513fc993c22e4cf2272b7be39d8 Mon Sep 17 00:00:00 2001
From: Veronika Fisarova <vfisarov@redhat.com>
Date: Fri, 29 Nov 2024 11:11:06 +0100
Subject: [PATCH] Update fernet keys rotation scripts

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>
Co-authored-by: Andre Aranha <afariasa@redhat.com>
---
 kuttl-test.yaml                               |  2 +-
 tests/kuttl/common/scripts/rotate_token.sh    | 42 +++++++++++++++++++
 .../common/scripts/test_invalid_token.sh      | 14 +++++++
 .../common/scripts/validate_test_token.sh     |  8 ++--
 .../tests/fernet_rotation/03-assert.yaml      |  6 +++
 .../03-rotate_keys_until_invalidate.yaml      |  4 ++
 ...t.yaml => 04-cleanup-openstackclient.yaml} |  0
 ...keystone.yaml => 05-cleanup-keystone.yaml} |  0
 .../{04-errors.yaml => 05-errors.yaml}        |  0
 9 files changed, 71 insertions(+), 5 deletions(-)
 create mode 100755 tests/kuttl/common/scripts/rotate_token.sh
 create mode 100755 tests/kuttl/common/scripts/test_invalid_token.sh
 create mode 100644 tests/kuttl/tests/fernet_rotation/03-assert.yaml
 create mode 100644 tests/kuttl/tests/fernet_rotation/03-rotate_keys_until_invalidate.yaml
 rename tests/kuttl/tests/fernet_rotation/{03-cleanup-openstackclient.yaml => 04-cleanup-openstackclient.yaml} (100%)
 rename tests/kuttl/tests/fernet_rotation/{04-cleanup-keystone.yaml => 05-cleanup-keystone.yaml} (100%)
 rename tests/kuttl/tests/fernet_rotation/{04-errors.yaml => 05-errors.yaml} (100%)

diff --git a/kuttl-test.yaml b/kuttl-test.yaml
index 37073722..a19cd42a 100644
--- a/kuttl-test.yaml
+++ b/kuttl-test.yaml
@@ -16,7 +16,7 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestSuite
 reportFormat: JSON
 reportName: kuttl-test-keystone
-timeout: 180
+timeout: 800
 namespace: keystone-kuttl-tests
 parallel: 1
 suppress:
diff --git a/tests/kuttl/common/scripts/rotate_token.sh b/tests/kuttl/common/scripts/rotate_token.sh
new file mode 100755
index 00000000..c5fa4f81
--- /dev/null
+++ b/tests/kuttl/common/scripts/rotate_token.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+set -x
+
+TMP_SECRET_FILE="/tmp/keystone-secret.yaml"
+
+generate_secret_yaml() {
+    cat <<EOF > $TMP_SECRET_FILE
+apiVersion: v1
+kind: Secret
+metadata:
+    name: keystone
+    namespace: keystone-kuttl-tests
+    annotations:
+        keystone.openstack.org/rotatedat: "2009-11-10T23:00:00Z"
+EOF
+}
+
+for rotation in {1..5}; do
+    echo "Starting rotation $rotation..."
+
+    # Apply new secret to trigger rotation
+    generate_secret_yaml
+    if ! oc apply -f $TMP_SECRET_FILE; then
+        echo "Failed to apply the secret!"
+        rm -f $TMP_SECRET_FILE
+        exit 1
+    fi
+
+    sleep 100
+
+    # Wait for rollout to complete
+    if ! oc rollout status deployment/keystone -n $NAMESPACE --timeout=60s; then
+        echo "Rollout status check failed for rotation $rotation."
+        continue
+    fi
+
+    echo "Rotation $rotation completed successfully."
+done
+
+rm -f $TMP_SECRET_FILE
+echo "All rotations completed successfully."
+exit 0
diff --git a/tests/kuttl/common/scripts/test_invalid_token.sh b/tests/kuttl/common/scripts/test_invalid_token.sh
new file mode 100755
index 00000000..32480484
--- /dev/null
+++ b/tests/kuttl/common/scripts/test_invalid_token.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -x
+
+export OS_TOKEN=$(cat /tmp/temporary_test_token)
+
+output=$(oc exec -tn $NAMESPACE openstackclient -- env -u OS_CLOUD - OS_AUTH_URL=http://keystone-public.keystone-kuttl-tests.svc:5000 OS_AUTH_TYPE=token OS_TOKEN=$OS_TOKEN openstack endpoint list 2>&1)
+
+filtered_output=$(echo "$output" | grep -i "Could not recognize Fernet token")
+
+if echo "$filtered_output" | grep -q "Could not recognize Fernet token"; then
+    exit 0
+else
+    exit 1
+fi
diff --git a/tests/kuttl/common/scripts/validate_test_token.sh b/tests/kuttl/common/scripts/validate_test_token.sh
index 3c9fe201..b61ccd63 100755
--- a/tests/kuttl/common/scripts/validate_test_token.sh
+++ b/tests/kuttl/common/scripts/validate_test_token.sh
@@ -4,11 +4,11 @@ set -euxo pipefail
 seconds=1
 while [ $seconds -le 30 ]; do
     rotatedat=$(oc get secret keystone -n $NAMESPACE -o jsonpath="{.metadata.annotations['keystone\.openstack\.org/rotatedat']}")
-    if [ $rotatedat != "2009-11-10T23:00:00Z" ]; then
+    if [ "$rotatedat" != "2009-11-10T23:00:00Z" ]; then
         break
     fi
     sleep 1
-    seconds=$(( $seconds + 1 ))
+    seconds=$(( seconds + 1 ))
 done
 
 sleep 20 # make sure a rollout started
@@ -17,9 +17,9 @@ oc rollout status deployment/keystone -n $NAMESPACE
 
 export OS_TOKEN=$(cat /tmp/temporary_test_token)
 
-alias openstack="oc exec -tn $NAMESPACE openstackclient -- env -u OS_CLOUD - OS_AUTH_URL=http://keystone-public.keystone-kuttl-tests.svc:5000 OS_AUTH_TYPE=token OS_TOKEN=$OS_TOKEN openstack"
+output=$(oc exec -tn $NAMESPACE openstackclient -- env -u OS_CLOUD - OS_AUTH_URL=http://keystone-public.keystone-kuttl-tests.svc:5000 OS_AUTH_TYPE=token OS_TOKEN=$OS_TOKEN openstack endpoint list 2>&1 || true)
 
-if openstack endpoint list 2>&1 | grep "Failed to validate token"; then
+if echo "$output" | grep -qi "Could not recognize Fernet token"; then
     exit 1
 else
     exit 0
diff --git a/tests/kuttl/tests/fernet_rotation/03-assert.yaml b/tests/kuttl/tests/fernet_rotation/03-assert.yaml
new file mode 100644
index 00000000..7ed824ad
--- /dev/null
+++ b/tests/kuttl/tests/fernet_rotation/03-assert.yaml
@@ -0,0 +1,6 @@
+# validate that token saved in previous step works
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+namespaced: true
+commands:
+  - script: ../../common/scripts/test_invalid_token.sh
diff --git a/tests/kuttl/tests/fernet_rotation/03-rotate_keys_until_invalidate.yaml b/tests/kuttl/tests/fernet_rotation/03-rotate_keys_until_invalidate.yaml
new file mode 100644
index 00000000..9c21ab40
--- /dev/null
+++ b/tests/kuttl/tests/fernet_rotation/03-rotate_keys_until_invalidate.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: ../../common/scripts/rotate_token.sh
diff --git a/tests/kuttl/tests/fernet_rotation/03-cleanup-openstackclient.yaml b/tests/kuttl/tests/fernet_rotation/04-cleanup-openstackclient.yaml
similarity index 100%
rename from tests/kuttl/tests/fernet_rotation/03-cleanup-openstackclient.yaml
rename to tests/kuttl/tests/fernet_rotation/04-cleanup-openstackclient.yaml
diff --git a/tests/kuttl/tests/fernet_rotation/04-cleanup-keystone.yaml b/tests/kuttl/tests/fernet_rotation/05-cleanup-keystone.yaml
similarity index 100%
rename from tests/kuttl/tests/fernet_rotation/04-cleanup-keystone.yaml
rename to tests/kuttl/tests/fernet_rotation/05-cleanup-keystone.yaml
diff --git a/tests/kuttl/tests/fernet_rotation/04-errors.yaml b/tests/kuttl/tests/fernet_rotation/05-errors.yaml
similarity index 100%
rename from tests/kuttl/tests/fernet_rotation/04-errors.yaml
rename to tests/kuttl/tests/fernet_rotation/05-errors.yaml