Add TLS integration test + test COS when related to TLS operator

shayancanonical · shayancanonical · commit 716da0892851 · 2024-04-11T12:39:24.000Z
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -20,7 +20,7 @@ requests = "^2.31.0"
 # data_platform_libs/v0/data_interfaces.py
 ops = ">=2.0.0"
 # tls_certificates_interface/v1/tls_certificates.py
-cryptography = "*"
+cryptography = ">=42.0.5"
 jsonschema = "*"
 # grafana_agent/v0/cos_agent.py
 pydantic = "<2"
diff --git a/tests/integration/helpers.py b/tests/integration/helpers.py
@@ -3,7 +3,7 @@
 
 import itertools
 import tempfile
-from typing import Dict, List
+from typing import Dict, List, Optional
 
 from juju.unit import Unit
 from pytest_operator.plugin import OpsTest
@@ -222,3 +222,21 @@ async def stop_running_flush_mysqlrouter_cronjobs(ops_test: OpsTest, unit_name:
         with attempt:
             if await get_process_pid(ops_test, unit_name, "logrotate"):
                 raise Exception("Failed to stop the flush_mysql_logs logrotate process")
+
+
+async def get_tls_certificate_issuer(
+    ops_test: OpsTest,
+    unit_name: str,
+    socket: Optional[str] = None,
+    host: Optional[str] = None,
+    port: Optional[int] = None,
+) -> str:
+    connect_args = f"-unix {socket}" if socket else f"-connect {host}:{port}"
+    get_tls_certificate_issuer_commands = [
+        "ssh",
+        unit_name,
+        f"openssl s_client -showcerts -starttls mysql {connect_args} < /dev/null | openssl x509 -text | grep Issuer",
+    ]
+    return_code, issuer, _ = await ops_test.juju(*get_tls_certificate_issuer_commands)
+    assert return_code == 0, f"failed to get TLS certificate issuer on {unit_name=}"
+    return issuer
diff --git a/tests/integration/test_exporter.py b/tests/integration/test_exporter.py
@@ -16,6 +16,7 @@
 MYSQL_ROUTER_APP_NAME = "mysql-router"
 APPLICATION_APP_NAME = "mysql-test-app"
 GRAFANA_AGENT_APP_NAME = "grafana-agent"
+TLS_APP_NAME = "tls-certificates-operator"
 SLOW_TIMEOUT = 25 * 60
 
 
@@ -149,3 +150,76 @@ async def test_exporter_endpoint(ops_test: OpsTest, mysql_router_charm_series: s
         ), "❌ expected connection refused error"
     else:
         assert False, "❌ can connect to metrics endpoint without relation with cos"
+
+
+@pytest.mark.group(1)
+@pytest.mark.abort_on_fail
+async def test_exporter_endpoint_with_tls(ops_test: OpsTest) -> None:
+    """Test that the exporter endpoint works when related with TLS"""
+    http = urllib3.PoolManager()
+
+    mysql_router_app = ops_test.model.applications[MYSQL_ROUTER_APP_NAME]
+
+    logger.info(f"Deploying {TLS_APP_NAME}")
+    await ops_test.model.deploy(
+        TLS_APP_NAME,
+        application_name=TLS_APP_NAME,
+        channel="stable",
+        config={"generate-self-signed-certificates": "true", "ca-common-name": "Test CA"},
+    )
+
+    await ops_test.model.wait_for_idle([TLS_APP_NAME], status="active", timeout=SLOW_TIMEOUT)
+
+    logger.info(f"Relation mysqlrouter with {TLS_APP_NAME}")
+
+    await ops_test.model.relate(
+        f"{MYSQL_ROUTER_APP_NAME}:certificates", f"{TLS_APP_NAME}:certificates"
+    )
+
+    time.sleep(30)
+
+    mysql_test_app = ops_test.model.applications[APPLICATION_APP_NAME]
+    unit_address = await mysql_test_app.units[0].get_public_address()
+
+    try:
+        http.request("GET", f"http://{unit_address}:49152/metrics")
+    except urllib3.exceptions.MaxRetryError as e:
+        assert (
+            "[Errno 111] Connection refused" in e.reason.args[0]
+        ), "❌ expected connection refused error"
+    else:
+        assert False, "❌ can connect to metrics endpoint without relation with cos"
+
+    logger.info("Relating mysqlrouter with grafana agent")
+    await ops_test.model.relate(
+        f"{GRAFANA_AGENT_APP_NAME}:cos-agent", f"{MYSQL_ROUTER_APP_NAME}:cos-agent"
+    )
+
+    time.sleep(30)
+
+    jmx_resp = http.request("GET", f"http://{unit_address}:49152/metrics")
+    assert jmx_resp.status == 200, "❌ cannot connect to metrics endpoint with relation with cos"
+    assert "mysqlrouter_route_health" in str(
+        jmx_resp.data
+    ), "❌ did not find expected metric in response"
+
+    logger.info("Removing relation between mysqlrouter and grafana agent")
+    await mysql_router_app.remove_relation(
+        f"{GRAFANA_AGENT_APP_NAME}:cos-agent", f"{MYSQL_ROUTER_APP_NAME}:cos-agent"
+    )
+
+    time.sleep(30)
+
+    try:
+        http.request("GET", f"http://{unit_address}:49152/metrics")
+    except urllib3.exceptions.MaxRetryError as e:
+        assert (
+            "[Errno 111] Connection refused" in e.reason.args[0]
+        ), "❌ expected connection refused error"
+    else:
+        assert False, "❌ can connect to metrics endpoint without relation with cos"
+
+    logger.info(f"Removing relation between mysqlrouter and {TLS_APP_NAME}")
+    await mysql_router_app.remove_relation(
+        f"{MYSQL_ROUTER_APP_NAME}:certificates", f"{TLS_APP_NAME}:certificates"
+    )
diff --git a/tests/integration/test_tls.py b/tests/integration/test_tls.py
@@ -1,89 +1,112 @@
-# Copyright 2023 Canonical Ltd.
+# Copyright 2024 Canonical Ltd.
 # See LICENSE file for licensing details.
 
-# flake8: noqa
-# TODO: enable & remove noqa
-# import asyncio
-# import logging
-#
-# import pytest
-# from pytest_operator.plugin import OpsTest
-#
-# logger = logging.getLogger(__name__)
-#
-# MYSQL_APP_NAME = "mysql"
-# MYSQL_ROUTER_APP_NAME = "mysqlrouter"
-# TEST_APP_NAME = "mysql-test-app"
-# TLS_APP_NAME = "tls-certificates-operator"
-# SLOW_TIMEOUT = 15 * 60
-# MODEL_CONFIG = {"logging-config": "<root>=INFO;unit=DEBUG"}
-#
-#
-# @pytest.mark.group(1)
-# @pytest.mark.abort_on_fail
-# async def test_build_deploy_and_relate(ops_test: OpsTest, mysql_router_charm_series: str) -> None:
-#     """Test encryption when backend database is using TLS."""
-#     # Deploy TLS Certificates operator.
-#     await ops_test.model.set_config(MODEL_CONFIG)
-#     logger.info("Deploy and relate all applications")
-#     async with ops_test.fast_forward():
-#         # deploy mysql first
-#         await ops_test.model.deploy(
-#             MYSQL_APP_NAME, channel="8.0/edge", config={"profile": "testing"}, num_units=3
-#         )
-#         tls_config = {"generate-self-signed-certificates": "true", "ca-common-name": "Test CA"}
-#
-#         # ROUTER
-#         mysqlrouter_charm = await ops_test.build_charm(".")
-#
-#         # tls, test app and router
-#         await asyncio.gather(
-#             ops_test.model.deploy(
-#                 mysqlrouter_charm,
-#                 application_name=MYSQL_ROUTER_APP_NAME,
-#                 num_units=None,
-#                 series=mysql_router_charm_series,
-#             ),
-#             ops_test.model.deploy(
-#                 TLS_APP_NAME, application_name=TLS_APP_NAME, channel="stable", config=tls_config
-#             ),
-#             ops_test.model.deploy(
-#                 TEST_APP_NAME, application_name=TEST_APP_NAME, channel="latest/edge"
-#             ),
-#         )
-#
-#         await ops_test.model.relate(
-#             f"{MYSQL_ROUTER_APP_NAME}:backend-database", f"{MYSQL_APP_NAME}:database"
-#         )
-#         await ops_test.model.relate(
-#             f"{TEST_APP_NAME}:database", f"{MYSQL_ROUTER_APP_NAME}:database"
-#         )
-#
-#         logger.info("Waiting for applications to become active")
-#         # We can safely wait only for test application to be ready, given that it will
-#         # only become active once all the other applications are ready.
-#         await ops_test.model.wait_for_idle([TEST_APP_NAME], status="active", timeout=15 * 60)
-#
-#
-# @pytest.mark.group(1)
-# async def test_connected_encryption(ops_test: OpsTest) -> None:
-#     """Test encryption when backend database is using TLS."""
-#     test_app_unit = ops_test.model.applications[TEST_APP_NAME].units[0]
-#
-#     logger.info("Relating TLS with backend database")
-#     await ops_test.model.relate(TLS_APP_NAME, MYSQL_APP_NAME)
-#
-#     # Wait for hooks start reconfiguring app
-#     await ops_test.model.block_until(
-#         lambda: ops_test.model.applications[MYSQL_APP_NAME].status != "active", timeout=4 * 60
-#     )
-#     await ops_test.model.wait_for_idle(status="active", timeout=15 * 60)
-#
-#     logger.info("Get cipher when TLS is enforced")
-#     action = await test_app_unit.run_action("get-session-ssl-cipher")
-#     result = await action.wait()
-#
-#     cipher = result.results["cipher"]
-#     # this assertion should be true even when TLS is not related to the backend database
-#     # because by default mysqlrouter will use TLS, unless explicitly disabled, which we never do
-#     assert cipher == "TLS_AES_256_GCM_SHA384", "Cipher not set"
+import asyncio
+import logging
+import time
+
+import pytest
+from pytest_operator.plugin import OpsTest
+
+from .helpers import get_tls_certificate_issuer
+
+logger = logging.getLogger(__name__)
+
+MYSQL_APP_NAME = "mysql"
+MYSQL_ROUTER_APP_NAME = "mysqlrouter"
+TEST_APP_NAME = "mysql-test-app"
+TLS_APP_NAME = "tls-certificates-operator"
+SLOW_TIMEOUT = 15 * 60
+MODEL_CONFIG = {"logging-config": "<root>=INFO;unit=DEBUG"}
+
+
+@pytest.mark.group(1)
+@pytest.mark.abort_on_fail
+async def test_build_deploy_and_relate(ops_test: OpsTest, mysql_router_charm_series: str) -> None:
+    """Test encryption when backend database is using TLS."""
+    await ops_test.model.set_config(MODEL_CONFIG)
+    logger.info("Deploy and relate all applications")
+    async with ops_test.fast_forward():
+        # deploy mysql first
+        await ops_test.model.deploy(
+            MYSQL_APP_NAME, channel="8.0/edge", config={"profile": "testing"}, num_units=1
+        )
+        tls_config = {"generate-self-signed-certificates": "true", "ca-common-name": "Test CA"}
+
+        # ROUTER
+        mysqlrouter_charm = await ops_test.build_charm(".")
+
+        # tls, test app and router
+        await asyncio.gather(
+            ops_test.model.deploy(
+                mysqlrouter_charm,
+                application_name=MYSQL_ROUTER_APP_NAME,
+                num_units=None,
+                series=mysql_router_charm_series,
+            ),
+            ops_test.model.deploy(
+                TLS_APP_NAME, application_name=TLS_APP_NAME, channel="stable", config=tls_config
+            ),
+            ops_test.model.deploy(
+                TEST_APP_NAME,
+                application_name=TEST_APP_NAME,
+                channel="latest/edge",
+                series=mysql_router_charm_series,
+            ),
+        )
+
+        await ops_test.model.relate(
+            f"{MYSQL_ROUTER_APP_NAME}:backend-database", f"{MYSQL_APP_NAME}:database"
+        )
+        await ops_test.model.relate(
+            f"{TEST_APP_NAME}:database", f"{MYSQL_ROUTER_APP_NAME}:database"
+        )
+
+        logger.info("Waiting for applications to become active")
+        # We can safely wait only for test application to be ready, given that it will
+        # only become active once all the other applications are ready.
+        await ops_test.model.wait_for_idle([TEST_APP_NAME], status="active", timeout=SLOW_TIMEOUT)
+
+
+@pytest.mark.group(1)
+@pytest.mark.abort_on_fail
+async def test_connected_encryption(ops_test: OpsTest) -> None:
+    """Test encryption when backend database is using TLS."""
+    mysqlrouter_unit = ops_test.model.applications[MYSQL_ROUTER_APP_NAME].units[0]
+
+    issuer = await get_tls_certificate_issuer(
+        ops_test,
+        mysqlrouter_unit.name,
+        socket="/var/snap/charmed-mysql/common/run/mysqlrouter/mysql.sock",
+    )
+    assert (
+        "Issuer: CN = MySQL_Router_Auto_Generated_CA_Certificate" in issuer
+    ), "Expected mysqlrouter autogenerated CA certificate"
+
+    logger.info("Relating TLS with mysqlrouter")
+    await ops_test.model.relate(TLS_APP_NAME, MYSQL_ROUTER_APP_NAME)
+
+    time.sleep(30)
+
+    logger.info("Getting certificate issuer after relating with tls operator")
+    issuer = await get_tls_certificate_issuer(
+        ops_test,
+        mysqlrouter_unit.name,
+        socket="/var/snap/charmed-mysql/common/run/mysqlrouter/mysql.sock",
+    )
+    assert "CN = Test CA" in issuer, f"Expected mysqlrouter certificate from {TLS_APP_NAME}"
+
+    logger.info("Removing relation TLS with mysqlrouter")
+    await ops_test.model.applications[MYSQL_ROUTER_APP_NAME].remove_relation(
+        f"{TLS_APP_NAME}:certificates", f"{MYSQL_ROUTER_APP_NAME}:certificates"
+    )
+
+    time.sleep(30)
+    issuer = await get_tls_certificate_issuer(
+        ops_test,
+        mysqlrouter_unit.name,
+        socket="/var/snap/charmed-mysql/common/run/mysqlrouter/mysql.sock",
+    )
+    assert (
+        "Issuer: CN = MySQL_Router_Auto_Generated_CA_Certificate" in issuer
+    ), "Expected mysqlrouter autogenerated CA certificate"
