Verify noobaa root secrets are not publicly exposed (#8981)

Signed-off-by: Mahesh Shetty <[email protected]>

ocs_ci/deployment/helpers/mcg_helpers.py

@@ -44,3 +44,41 @@ def mcg_only_post_deployment_checks():
 
     # Enable console plugin
     enable_console_plugin()
+
+
+def check_if_mcg_root_secret_public():
+    """
+    Verify if MCG root secret is public
+
+    Returns:
+        False if the secrets are not public and True otherwise
+
+    """
+
+    noobaa_endpoint_dep = ocp.OCP(
+        kind="Deployment",
+        namespace=config.ENV_DATA["cluster_namespace"],
+        resource_name=constants.NOOBAA_ENDPOINT_DEPLOYMENT,
+    ).get()
+
+    noobaa_core_sts = ocp.OCP(
+        kind="Statefulset",
+        namespace=config.ENV_DATA["cluster_namespace"],
+        resource_name=constants.NOOBAA_CORE_STATEFULSET,
+    ).get()
+
+    nb_endpoint_env = noobaa_endpoint_dep["spec"]["template"]["spec"]["containers"]
+    nb_core_env = noobaa_core_sts["spec"]["template"]["spec"]["containers"]
+
+    def _check_env_vars(env_vars):
+        """
+        Method verifies the environment variable lists
+        if the root secret is public
+
+        """
+        for env in env_vars:
+            if env["name"] == "NOOBAA_ROOT_SECRET" and "value" in env.keys():
+                return True
+        return False
+
+    return _check_env_vars(nb_core_env) or _check_env_vars(nb_endpoint_env)

ocs_ci/ocs/resources/storage_cluster.py

@@ -75,6 +75,7 @@
 from ocs_ci.utility.utils import run_cmd, TimeoutSampler
 from ocs_ci.utility.decorators import switch_to_orig_index_at_last
 from ocs_ci.helpers.helpers import storagecluster_independent_check
+from ocs_ci.deployment.helpers.mcg_helpers import check_if_mcg_root_secret_public
 
 log = logging.getLogger(__name__)
 
@@ -752,6 +753,12 @@ def ocs_install_verification(
     ):
         validate_serviceexport()
 
+    # check that noobaa root secrets are not public
+    assert (
+        check_if_mcg_root_secret_public() is False
+    ), "Seems like MCG root secrets are public, please check"
+    log.info("Noobaa root secrets are not public")
+
 
 def mcg_only_install_verification(ocs_registry_image=None):
     """

tests/manage/mcg/test_noobaa_secret.py

@@ -17,12 +17,14 @@
     skipif_disconnected_cluster,
     red_squad,
     mcg,
+    post_upgrade,
 )
 from ocs_ci.ocs.exceptions import CommandFailed
 from ocs_ci.utility.aws import update_config_from_s3
 from ocs_ci.utility.utils import load_auth_config
 from botocore.exceptions import EndpointConnectionError
 from ocs_ci.ocs.bucket_utils import create_aws_bs_using_cli
+from ocs_ci.deployment.helpers.mcg_helpers import check_if_mcg_root_secret_public
 
 logger = logging.getLogger(__name__)
 
@@ -331,3 +333,22 @@ def test_noobaa_secret_deletion_method2(self, teardown_factory, mcg_obj, cleanup
         logger.info(
             "Secret got deleted after the all the linked backingstores are deleted!"
         )
+
+
+@mcg
+@post_upgrade
+@red_squad
+@bugzilla("2219522")
+@polarion_id("OCS-5205")
+@tier2
+def test_noobaa_root_secret():
+    """
+    This test verifies if the noobaa root secret is publicly
+    exposed or not during upgrade scenario
+
+    """
+
+    assert (
+        check_if_mcg_root_secret_public() is False
+    ), "Seems like MCG root secrets are exposed publicly, please check"
+    logger.info("MCG root secrets are not exposed to public")

tests/manage/mcg/test_s3_regenerate_creds.py

@@ -0,0 +1,48 @@
+import logging
+
+from ocs_ci.framework.pytest_customization.marks import (
+    tier2,
+    bugzilla,
+    polarion_id,
+    red_squad,
+    mcg,
+)
+from ocs_ci.ocs.ocp import OCP
+from ocs_ci.ocs import constants
+
+logger = logging.getLogger(__name__)
+
+
+@tier2
+@mcg
+@red_squad
+@bugzilla("2246328")
+@polarion_id("OCS-5216")
+def test_s3_regenerate_creds(mcg_obj, project_factory):
+    """
+    Test s3 regenerate credential
+
+    """
+
+    # create a custom namespace
+    proj_name = "reg-project"
+    logger.info(f"Creating the project {proj_name}")
+    project_factory(project_name=proj_name)
+
+    # create obc in that namespace
+    ocp_obj = OCP(kind="obc", namespace=proj_name)
+    obc_name = "reg-obc"
+    logger.info(f"Creating OBC {obc_name}")
+    mcg_obj.exec_mcg_cmd(
+        cmd=f"obc create {obc_name} --app-namespace {proj_name}",
+        namespace=constants.OPENSHIFT_STORAGE_NAMESPACE,
+    )
+    ocp_obj.get(resource_name=obc_name)
+
+    # regenerate credential
+    mcg_obj.exec_mcg_cmd(
+        cmd=f"obc regenerate {obc_name} --app-namespace {proj_name}",
+        namespace=constants.OPENSHIFT_STORAGE_NAMESPACE,
+        use_yes=True,
+    )
+    logger.info("Successfully regenerated s3 credentials")