qa/vault: create_secrets() cleanup checks for orphaned keys

the vault task creates some keys on startup for use in s3-tests. on
cleanup, check that rgw has removed any temporary bucket keys that
were created during testing. fail with an assertion if the listed keys
differ

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/qa/suites/rgw/crypt/2-kms/vault_kv.yaml b/qa/suites/rgw/crypt/2-kms/vault_kv.yaml
index 9ee9366d0c456b7e7087e0fb12dc697797452b69..0b512117cbb013afa34b680a5af5347469fbd71d 100644 (file)
--- a/qa/suites/rgw/crypt/2-kms/vault_kv.yaml
+++ b/qa/suites/rgw/crypt/2-kms/vault_kv.yaml
@@ -17,7 +17,7 @@ tasks:
       install_sha256: 7725b35d9ca8be3668abe63481f0731ca4730509419b4eb29fa0b0baa4798458
       root_token: test_root_token
       engine: kv
-      prefix: /v1/kv/data/
+      prefix: /v1/kv/
       secrets:
         - path: my-key-1
           secret: a2V5MS5GcWVxKzhzTGNLaGtzQkg5NGVpb1FKcFpGb2c=

diff --git a/qa/tasks/vault.py b/qa/tasks/vault.py
index ae874eb55e35e31a7e3918a774af153f1f1c2dcf..848d50ec0149fb2009bfb8417f2472c29b3f0ba6 100644 (file)
--- a/qa/tasks/vault.py
+++ b/qa/tasks/vault.py
@@ -173,8 +173,8 @@ def send_req(ctx, cconfig, client, path, body, method='POST'):
     headers = {'X-Vault-Token': token}
     req.request(method, path, headers=headers, body=body)
     resp = req.getresponse()
-    log.info(resp.read())
     if not (resp.status >= 200 and resp.status < 300):
+        log.info(resp.read())
         raise Exception("Request to Vault server failed with status %d" % resp.status)
     return resp
 
@@ -198,6 +198,7 @@ def create_secrets(ctx, config):
         exportable = secret.get("exportable", flavor == "old")
 
         if engine == 'kv':
+            path = urljoin('data/', path)
             try:
                 data = {
                     "data": {
@@ -216,8 +217,21 @@ def create_secrets(ctx, config):
         ctx.vault.keys[cclient].append({ 'Path': path });
 
     log.info("secrets created")
+
+    list_url = prefix
+    if engine == 'kv':
+        list_url = urljoin(prefix, 'metadata')
+
+    resp = send_req(ctx, cconfig, cclient, list_url, b'', 'LIST')
+    keys_created = json.loads(resp.read())['data']['keys']
+    assert len(keys_created) == len(ctx.vault.keys[cclient])
+
     yield
 
+    # fetch another listing and verify that no additional keys are left over
+    resp = send_req(ctx, cconfig, cclient, list_url, b'', 'LIST')
+    keys_after = json.loads(resp.read())['data']['keys']
+    assert keys_created == keys_after
 
 @contextlib.contextmanager
 def task(ctx, config):