Newer
Older
openstack-caracal-ipv4 / tests / tenant-onboard / run-tests.sh
@JANeumatrix JANeumatrix 10 hours ago 2 KB Patches
#!/usr/bin/env bash
# tests/tenant-onboard/run-tests.sh -- focused offline harness for the two
# stage4 guard behaviors hardened in the 2026-07-03 sweep (H1: the raced
# duplicate-CIDR guard previously FAILED OPEN under pipefail SIGPIPE).
# Fake openstack replays fixtures; fake HOME provides a stub admin-openrc.
# Not a full-stage harness: stage4 is cut short right AFTER the guard by an
# empty app-cred path -- the assertions target guard behavior only.
# Exit: 0 all pass | 1 any case failed.  ASCII + LF.
set -uo pipefail
HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO="$(cd "$HERE/../.." && pwd)"
TMP="$(mktemp -d)"; trap 'rm -rf "$TMP"' EXIT
PASS=0; FAIL=0
BIN="$TMP/bin"; H="$TMP/home"; mkdir -p "$BIN" "$H"
printf 'export OS_AUTH_URL=https://fake:5000/v3\nexport OS_CACERT=$HOME/vault-init/vault-ca-root.pem\n' > "$H/admin-openrc"
mkdir -p "$H/vault-init"
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 -nodes -subj /CN=fake-ca \
  -keyout "$H/vault-init/ca.key" -out "$H/vault-init/vault-ca-root.pem" -days 2 >/dev/null 2>&1
cat > "$BIN/openstack" <<'FB'
#!/usr/bin/env bash
case "$*" in
  *"subnet list"*) cat "$FIXDIR/subnets.txt" ;;
  *) echo "fake-openstack: unmatched: $*" >&2; exit 1 ;;
esac
FB
chmod +x "$BIN/openstack"

run_stage4() { # run_stage4 <fixdir> -> captures output+rc of stage4 under fakes
  ( cd "$TMP" && env HOME="$H" FIXDIR="$1" PATH="$BIN:$PATH" \
      TENANT_CIDR="10.20.24.0/24" \
      bash "$REPO/scripts/tenant-onboard.sh" testco stage4 2>&1 )
}
check() { # check <want_in_out:regex> <must_not:regex|-> <label> <out> <rc>
  local want="$1" not="$2" label="$3" out="$4" rc="$5"
  local okw=1 okn=1
  grep -qE "$want" <<<"$out" || okw=0
  [ "$not" = "-" ] || { grep -qE "$not" <<<"$out" && okn=0; }
  if [ "$okw" = 1 ] && [ "$okn" = 1 ]; then echo "  PASS  $label"; PASS=$((PASS+1))
  else echo "  FAIL  $label (rc=$rc)"; echo "$out" | head -4 | sed 's/^/        /'; FAIL=$((FAIL+1)); fi
}

mkdir -p "$TMP/fx-collide" "$TMP/fx-clear" "$TMP/out"
printf '10.20.7.0/24\n10.20.24.0/24\n10.20.9.0/24\n' > "$TMP/fx-collide/subnets.txt"
printf '10.20.7.0/24\n10.20.9.0/24\n'                > "$TMP/fx-clear/subnets.txt"

# T1: colliding CIDR present in the list -> guard MUST die (the bug was fail-open)
out=$(run_stage4 "$TMP/fx-collide"); rc=$?
check 'CIDR 10.20.24.0/24 in use' '-' "T1 duplicate-CIDR guard fires (was fail-open under SIGPIPE)" "$out" "$rc"
[ "$rc" -ne 0 ] || { echo "  FAIL  T1b guard must exit non-zero"; FAIL=$((FAIL+1)); }

# T2: CIDR absent -> guard must NOT fire; script proceeds past it into stage4 body
out=$(run_stage4 "$TMP/fx-clear"); rc=$?
check '== stage4:' 'CIDR .* in use' "T2 clear CIDR passes the guard (no false die)" "$out" "$rc"

echo; echo "RESULT: PASS=$PASS FAIL=$FAIL"
[[ "$FAIL" -eq 0 ]] && { echo "ALL PASS"; exit 0; } || exit 1