Parametrize tests with pools encryption

ydb/tests/functional/tenants/test_auth_system_views.py

@@ -1,6 +1,5 @@
 # -*- coding: utf-8 -*-
 import logging
-import copy
 
 import pytest
 
@@ -49,16 +48,9 @@
 )
 
 
-# fixtures.ydb_cluster_configuration local override
 @pytest.fixture(scope='module')
-def ydb_cluster_configuration():
-    conf = copy.deepcopy(CLUSTER_CONFIG)
-    return conf
-
-
-@pytest.fixture(scope='module')
-def ydb_configurator(ydb_cluster_configuration):
-    config_generator = KikimrConfigGenerator(**ydb_cluster_configuration)
+def ydb_configurator(ydb_cluster_configuration_with_encryption_parametrized):
+    config_generator = KikimrConfigGenerator(**ydb_cluster_configuration_with_encryption_parametrized)
     config_generator.yaml_config['auth_config'] = {
         'domain_login_only': False,
     }

ydb/tests/library/fixtures/__init__.py

@@ -2,6 +2,7 @@
 import contextlib
 import logging
 import os
+import copy
 
 import pytest
 
@@ -167,3 +168,17 @@ def stop_pool():
 #     with Driver(DriverConfig(ydb_endpoint, database_path)) as driver:
 #         with SessionPool(driver) as pool:
 #             yield database_path, pool
+
+
+@pytest.fixture(scope='module', params=[True, False], ids=["encryption_enabled", "encryption_disabled"])
+def encryption_enabled(request):
+    """Parametrized fixture that runs tests with both encryption enabled and disabled."""
+    return request.param
+
+
+@pytest.fixture(scope='module')
+def ydb_cluster_configuration_with_encryption_parametrized(ydb_cluster_configuration, encryption_enabled):
+    """Extended cluster configuration that includes encryption settings based on the parametrized fixture."""
+    config = copy.deepcopy(ydb_cluster_configuration)
+    config['enable_pool_encryption'] = encryption_enabled
+    return config

ydb/tests/library/harness/kikimr_config.py

@@ -190,7 +190,8 @@ def __init__(
             cms_config=None,
             explicit_statestorage_config=None,
             system_tablets=None,
-            protected_mode=False,
+            protected_mode=False,  # Authentication
+            enable_pool_encryption=False,
             tiny_mode=False,
             module=None,
     ):
@@ -222,6 +223,7 @@ def __init__(
         erasure = Erasure.NONE if erasure is None else erasure
         self.system_tablets = system_tablets
         self.protected_mode = protected_mode
+        self.enable_pool_encryption = enable_pool_encryption
         self.module = module
         self.__grpc_ssl_enable = grpc_ssl_enable or protected_mode
         self.__grpc_tls_data_path = None
@@ -684,6 +686,7 @@ def grpc_tls_ca(self):
     @property
     def domains_txt(self):
         app_config = config_pb2.TAppConfig()
+        assert not self.enable_pool_encryption, "pool encryption is not addressed in domains.txt"
         Parse(read_binary(__name__, "resources/default_domains.txt"), app_config.DomainsConfig)
         return app_config.DomainsConfig
 
@@ -947,3 +950,8 @@ def __build(self):
         self._add_state_storage_config()
         if not self.use_self_management and not self.explicit_hosts_and_host_configs:
             self._initialize_pdisks_info()
+
+        if self.enable_pool_encryption:
+            for domain in self.yaml_config['domains_config']['domain']:
+                for pool_type in domain['storage_pool_types']:
+                    pool_type['pool_config']['encryption_mode'] = 1

ydb/tests/library/harness/kikimr_runner.py

@@ -641,6 +641,21 @@ def __register_slot(self, tenant_affiliation=None, encryption_key=None, seed_nod
             self.nodes[1].grpc_ssl_port if self.__configurator.grpc_ssl_enable
             else self.nodes[1].grpc_port
         )
+
+        if tenant_affiliation is None:
+            tenant_affiliation = "dynamic"
+
+        if encryption_key is None and self.__configurator.enable_pool_encryption:
+            workdir = os.path.join(self.__configurator.working_dir, self.__cluster_name)
+            slug = tenant_affiliation.replace('/', '_')
+            secret_path = os.path.join(workdir, slug + "_secret.txt")
+            with open(secret_path, "w") as writer:
+                writer.write("fake_secret_data_for_%s" % slug)
+            keyfile_path = os.path.join(workdir, slug + "_key.txt")
+            with open(keyfile_path, "w") as writer:
+                writer.write('Keys { ContainerPath: "%s" Pin: "" Id: "%s" Version: 1 } ' % (secret_path, slug))
+            encryption_key = keyfile_path
+
         self._slots[slot_index] = KiKiMRNode(
             node_id=slot_index,
             config_path=self.config_path,
@@ -650,7 +665,7 @@ def __register_slot(self, tenant_affiliation=None, encryption_key=None, seed_nod
             udfs_dir=self.__common_udfs_dir,
             role='slot',
             node_broker_port=node_broker_port,
-            tenant_affiliation=tenant_affiliation if tenant_affiliation is not None else 'dynamic',
+            tenant_affiliation=tenant_affiliation,
             encryption_key=encryption_key,
             binary_path=self.__configurator.get_binary_path(slot_index),
             seed_nodes_file=seed_nodes_file,