Add test for baremetal secureboot provisioning

pytest_fixtures/component/provision_pxe.py

@@ -287,6 +287,7 @@ def pxe_loader(request):
         'uefi': {'vm_firmware': 'uefi', 'pxe_loader': 'Grub2 UEFI'},
         'ipxe': {'vm_firmware': 'bios', 'pxe_loader': 'iPXE Embedded'},
         'http_uefi': {'vm_firmware': 'uefi', 'pxe_loader': 'Grub2 UEFI HTTP'},
+        'secureboot': {'vm_firmware': 'uefi_secureboot', 'pxe_loader': 'Grub2 UEFI SecureBoot'},
     }
     return Box(PXE_LOADER_MAP[getattr(request, 'param', 'bios')])
 

pytest_fixtures/component/provision_vmware.py

@@ -5,6 +5,7 @@
 from wrapanapi.systems.virtualcenter import VMWareVirtualMachine
 
 from robottelo.config import settings
+from robottelo.hosts import ContentHost
 
 
 @pytest.fixture(scope='module')
@@ -112,18 +113,24 @@ def module_vmware_image(
 
 
 @pytest.fixture
-def provisioning_vmware_host(pxe_loader, vmwareclient):
+def provisioning_vmware_host(pxe_loader, vmwareclient, module_ssh_key_file):
     """Fixture to check out blank VM on VMware"""
-    vm_boot_firmware = 'efi' if pxe_loader.vm_firmware == 'uefi' else 'bios'
-    provisioning_host = Broker(
+    vm_boot_firmware = 'efi' if pxe_loader.vm_firmware.startswith('uefi') else 'bios'
+    vm_secure_boot = 'true' if pxe_loader.vm_firmware == 'uefi_secureboot' else 'false'
+    vlan_id = settings.provisioning.vlan_id
+    with Broker(
         workflow='deploy-blank-vm-vcenter',
-        artifacts='last',
-        vm_network=settings.provisioning.vlan_id,
+        host_class=ContentHost,
+        vm_network=vlan_id,
         vm_boot_firmware=vm_boot_firmware,
-    ).execute()
-    yield provisioning_host
-    # delete the host
-    vmware_host = VMWareVirtualMachine(vmwareclient, name=provisioning_host['name'])
-    vmware_host.delete()
-    # check if vm is deleted from VMware
-    assert vmwareclient.does_vm_exist(provisioning_host['name']) is False
+        vm_secure_boot=vm_secure_boot,
+        auth=module_ssh_key_file,
+        blank=True,
+        _skip_context_checkin=True,
+    ) as provisioning_host:
+        yield provisioning_host
+        # Delete the host
+        vmware_host = VMWareVirtualMachine(vmwareclient, name=provisioning_host.name)
+        vmware_host.delete()
+        # Verify host is deleted from VMware
+        assert vmwareclient.does_vm_exist(provisioning_host.name) is False

tests/foreman/api/test_computeresource_vmware.py

@@ -154,12 +154,13 @@ def test_positive_provision_vmware_pxe_discovery(
         2. Provision the host
 
     :expectedresults: Host should be provisioned successfully
-
     """
-    mac = provisioning_vmware_host['provisioning_nic_mac_addr']
+    mac = provisioning_vmware_host._broker_args['provisioning_nic_mac_addr']
     sat = module_discovery_sat.sat
     # start the provisioning host
-    vmware_host = VMWareVirtualMachine(vmwareclient, name=provisioning_vmware_host['name'])
+    vmware_host = VMWareVirtualMachine(
+        vmwareclient, name=provisioning_vmware_host._broker_args['name']
+    )
     vmware_host.start()
     wait_for(
         lambda: sat.api.DiscoveredHost().search(query={'mac': mac}) != [],

tests/foreman/api/test_provisioning.py

@@ -17,8 +17,10 @@
 from fauxfactory import gen_string
 import pytest
 from wait_for import TimedOutError, wait_for
+from wrapanapi.systems.virtualcenter import VMWareVirtualMachine
 
 from robottelo.config import settings
+from robottelo.hosts import get_sat_rhel_version
 from robottelo.logging import logger
 from robottelo.utils.installer import InstallerCommand
 from robottelo.utils.issue_handlers import is_open
@@ -592,6 +594,112 @@ def test_rhel_pxe_provisioning_fips_enabled(
     assert provisioning_host.subscribed, 'Host is not subscribed'
 
 
+@pytest.mark.e2e
+@pytest.mark.upgrade
+@pytest.mark.on_premises_provisioning
+@pytest.mark.parametrize('pxe_loader', ['secureboot'], indirect=True)
+@pytest.mark.rhel_ver_match([get_sat_rhel_version().major])
+def test_rhel_pxe_provisioning_secureboot_enabled(
+    request,
+    module_provisioning_sat,
+    vmwareclient,
+    provisioning_vmware_host,
+    pxe_loader,
+    module_sca_manifest_org,
+    module_location,
+    module_provisioning_rhel_content,
+    provisioning_hostgroup,
+):
+    """Simulate Secureboot baremetal provisioning of a RHEL system via PXE on vCenter provider
+
+    :id: 8b33f545-c4a8-428d-8fd8-a5e402c8cd23
+
+    :steps:
+        1. Provision RHEL system via PXE on vCenter provider
+        2. Check that resulting host is registered to Satellite
+        3. Check host is subscribed to Satellite
+
+    :expectedresults:
+        1. Host installs right version of RHEL
+        2. Host is registered to Satellite and subscription status is 'Success'
+        3. Secureboot is enabled on the host
+
+    :Verifies: SAT-25809
+
+    :customerscenario: true
+
+    :parametrized: yes
+    """
+    host_mac_addr = provisioning_vmware_host._broker_args['provisioning_nic_mac_addr']
+    sat = module_provisioning_sat.sat
+    host = sat.api.Host(
+        hostgroup=provisioning_hostgroup,
+        organization=module_sca_manifest_org,
+        location=module_location,
+        name=gen_string('alpha').lower(),
+        mac=host_mac_addr,
+        build=True,  # put the host in build mode
+    ).create(create_missing=False)
+    # Clean up the host to free IP leases on Satellite.
+    # broker should do that as a part of the teardown, putting here just to make sure.
+    request.addfinalizer(lambda: sat.provisioning_cleanup(host.name))
+
+    # start the provisioning host on VMware, do not ensure that we can connect to SSHD
+    vmware_host = VMWareVirtualMachine(
+        vmwareclient, name=provisioning_vmware_host._broker_args['name']
+    )
+    vmware_host.start()
+
+    # TODO: Implement Satellite log capturing logic to verify that
+    # all the events are captured in the logs.
+    # Host should do call back to the Satellite reporting
+    # the result of the installation. Wait until Satellite reports that the host is installed.
+    wait_for(
+        lambda: host.read().build_status_label != 'Pending installation',
+        timeout=1500,
+        delay=10,
+    )
+    host = host.read()
+    assert host.build_status_label == 'Installed'
+
+    # Change the hostname of the host as we know it already.
+    # In the current infra environment we do not support
+    # addressing hosts using FQDNs, falling back to IP.
+    provisioning_vmware_host.hostname = host.ip
+    # Host is not blank anymore
+    provisioning_vmware_host.blank = False
+
+    # Wait for the host to be rebooted and SSH daemon to be started.
+    provisioning_vmware_host.wait_for_connection()
+
+    # Perform version check and check if root password is properly updated
+    host_os = host.operatingsystem.read()
+    expected_rhel_version = f'{host_os.major}.{host_os.minor}'
+
+    if int(host_os.major) >= 9:
+        assert (
+            provisioning_vmware_host.execute(
+                'echo -e "\nPermitRootLogin yes" >> /etc/ssh/sshd_config; systemctl restart sshd'
+            ).status
+            == 0
+        )
+    host_ssh_os = sat.execute(
+        f'sshpass -p {settings.provisioning.host_root_password} '
+        'ssh -o StrictHostKeyChecking=no -o PubkeyAuthentication=no -o PasswordAuthentication=yes '
+        f'-o UserKnownHostsFile=/dev/null root@{provisioning_vmware_host.hostname} cat /etc/redhat-release'
+    )
+    assert host_ssh_os.status == 0
+    assert (
+        expected_rhel_version in host_ssh_os.stdout
+    ), 'Different than the expected OS version was installed'
+
+    # Verify host is subscribed and consumes subsctiption provided by the activation key
+    assert provisioning_vmware_host.subscribed, 'Host is not subscribed'
+
+    # Verify SecureBoot is enabled on host after provisioning is completed sucessfully
+    assert 'SecureBoot enabled' in provisioning_vmware_host.execute('mokutil --sb-state').stdout
+
+
 @pytest.mark.e2e
 @pytest.mark.parametrize('pxe_loader', ['bios', 'uefi'], indirect=True)
 @pytest.mark.skip(reason='Skipping till we have destructive support')