Add LDAP test with authentication and authorization

Change-Id: Ic5605439a94779e11eec21057c4a8581b6ec6198

stacklight_tests/toolchain/test_ldap_plugins.py

@@ -44,6 +44,49 @@ class TestToolchainLDAP(api.ToolchainApi):
 
         Duration 120m
         """
+        self._create_ldap_toolchain()
+
+        self.env.make_snapshot("deploy_toolchain_with_ldap", is_make=True)
+
+    @test(depends_on_groups=['prepare_slaves_3'],
+          groups=["ldap", "deploy_toolchain_with_ldap_authz", "toolchain",
+                  "deploy"])
+    @log_snapshot_after_test
+    def deploy_toolchain_with_ldap_authz(self):
+        """Install the LMA Toolchain plugins with LDAP integration for
+        authentication and authorization
+
+        Scenario:
+            1. Upload the LMA Toolchain plugins to the master node
+            2. Install the plugins
+            3. Create the cluster
+            4. Enable and configure LDAP for plugin authentication and
+               authorization
+            5. Deploy the cluster
+            6. Upload install_slapd.sh script on controller node
+            7. On controller node open the firewall for ports 389 and 636
+            8. Install and configure the LDAP server
+            9. Check that LMA Toolchain plugins are running
+            10. Check plugins are available with LDAP for authentication and
+               authorization
+
+        Duration 120m
+        """
+        self._create_ldap_toolchain(authz=True)
+
+        self.env.make_snapshot("deploy_toolchain_with_ldap_authz",
+                               is_make=True)
+
+    def _create_ldap_toolchain(self, authz=False, protocol='ldap'):
+        """Create generic toolchain for LDAP test
+
+        :param authz: configures LDAP server for plugin authorisation and adds
+        authorisation checking
+        :type authz: boolean
+        :param protocol: configures LDAP or LDAPS protocol to be used on LDAP
+        server
+        :type protocol: str
+        """
         fuel_web = self.helpers.fuel_web
 
         self.env.revert_snapshot("ready_with_3_slaves")
@@ -68,9 +111,11 @@ class TestToolchainLDAP(api.ToolchainApi):
             role_status='pending_roles')[0]['hostname']
 
         for name, plugin in plugins_ldap.iteritems():
-            self._activate_ldap_plugin(plugin[0], plugin[1], name, ldap_server)
+            self._activate_ldap_plugin(plugin[0], plugin[1], name, ldap_server,
+                                       authz=authz, protocol=protocol)
 
         self.helpers.deploy_cluster(self.settings.base_nodes)
+
         ldap_node = fuel_web.get_nailgun_cluster_nodes_by_roles(
             self.helpers.cluster_id, roles=["controller", ])[0]
 
@@ -88,7 +133,7 @@ class TestToolchainLDAP(api.ToolchainApi):
         self.check_plugins_online()
 
         for plugin in plugins_ldap.values():
-            plugin[0].check_plugin_ldap()
+            plugin[0].check_plugin_ldap(authz=authz)
 
         self.env.make_snapshot("deploy_toolchain_with_ldap", is_make=True)
 
@@ -117,4 +162,28 @@ class TestToolchainLDAP(api.ToolchainApi):
         if name in ["elasticsearch_kibana", "lma_infrastructure_alerting"]:
             options.update({"ldap_user_attribute/value": "uid"})
 
+        if authz:
+            options.update({
+                "ldap_authorization_enabled/value": True,
+            })
+            if name in ["elasticsearch_kibana", "lma_infrastructure_alerting"]:
+                options.update({
+                    "ldap_admin_group_dn/value":
+                        "cn=plugin_admins,ou=groups,dc=stacklight,dc=ci"
+                })
+                if name == "elasticsearch_kibana":
+                    options.update({
+                        "ldap_viewer_group_dn/value":
+                            "cn=plugin_viewers,ou=groups,dc=stacklight,dc=ci"
+                    })
+            else:
+                options.update({
+                    "ldap_group_search_base_dns/value":
+                        "ou=groups,dc=stacklight,dc=ci",
+                    "ldap_group_search_filter/value":
+                        "(&(objectClass=posixGroup)(memberUid=%s)",
+                    "ldap_admin_group_dn/value": "plugin_admins",
+                    "ldap_viewer_group_dn/value": "plugin_viewers"
+                })
+
         plugin.activate_plugin(options=options)