Patches attached. Tests for https://fedorahosted.org/freeipa/ticket/5302
From 9c87a6c66a72fc5f1a35c39529c0e518b4736a18 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 6 Oct 2015 20:28:18 +0200 Subject: [PATCH 1/2] CI Test: add setup_kra options into install scripts
https://fedorahosted.org/freeipa/ticket/5302 --- ipatests/test_integration/tasks.py | 30 +++++++++++++++++++--- .../test_integration/test_backup_and_restore.py | 8 +----- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 7bfd12dce4ce0330ad18180948efec41f8f82fe2..918f78cde23d65a20fdab1a9484ea29ecceb4d10 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -246,7 +246,7 @@ def enable_replication_debugging(host): stdin_text=logging_ldif) -def install_master(host, setup_dns=True): +def install_master(host, setup_dns=True, setup_kra=False): host.collect_log(paths.IPASERVER_INSTALL_LOG) host.collect_log(paths.IPACLIENT_INSTALL_LOG) inst = host.domain.realm.replace('.', '-') @@ -273,10 +273,23 @@ def install_master(host, setup_dns=True): enable_replication_debugging(host) setup_sssd_debugging(host) + if setup_kra: + args = [ + "ipa-kra-install", + "-p", host.config.dirman_password, + "-U", + ] + host.run_command(args) + kinit_admin(host) -def install_replica(master, replica, setup_ca=True, setup_dns=False): +def get_replica_filename(replica): + return os.path.join(replica.config.test_dir, 'replica-info.gpg') + + +def install_replica(master, replica, setup_ca=True, setup_dns=False, + setup_kra=False): replica.collect_log(paths.IPAREPLICA_INSTALL_LOG) replica.collect_log(paths.IPAREPLICA_CONNCHECK_LOG) @@ -289,8 +302,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False): replica.hostname]) replica_bundle = master.get_file_contents( paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname) - replica_filename = os.path.join(replica.config.test_dir, - 'replica-info.gpg') + replica_filename = get_replica_filename(replica) replica.put_file_contents(replica_filename, replica_bundle) args = ['ipa-replica-install', '-U', '-p', replica.config.dirman_password, @@ -309,6 +321,16 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False): enable_replication_debugging(replica) setup_sssd_debugging(replica) + if setup_kra: + assert setup_ca, "CA must be installed on replica with KRA" + args = [ + "ipa-kra-install", + replica_filename, + "-p", replica.config.dirman_password, + "-U", + ] + replica.run_command(args) + kinit_admin(replica) diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py index c0d30fc8188384c0886f65d68e73e07436bcc897..8b9cd2dc4af146b2c00e6d2224625c4288854be8 100644 --- a/ipatests/test_integration/test_backup_and_restore.py +++ b/ipatests/test_integration/test_backup_and_restore.py @@ -354,13 +354,7 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest): @classmethod def install(cls, mh): - tasks.install_master(cls.master, setup_dns=True) - args = [ - "ipa-kra-install", - "-p", cls.master.config.dirman_password, - "-U", - ] - cls.master.run_command(args) + tasks.install_master(cls.master, setup_dns=True, setup_kra=True) def _full_backup_restore_with_vault(self, reinstall=False): with restore_checker(self.master): -- 2.4.3
From 0a8614835e12b960a30fb9f52380a9de5ebe3d68 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 6 Oct 2015 20:26:01 +0200 Subject: [PATCH 2/2] CI TEST: Vault Simple CI test for vault feature, including testing with replica Covers https://fedorahosted.org/freeipa/ticket/5302 --- ipatests/test_integration/test_vault.py | 205 ++++++++++++++++++++++++++++++++ 1 file changed, 205 insertions(+) create mode 100644 ipatests/test_integration/test_vault.py diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py new file mode 100644 index 0000000000000000000000000000000000000000..ba472af7152b508fb8a6fd92ebf18879518d2246 --- /dev/null +++ b/ipatests/test_integration/test_vault.py @@ -0,0 +1,205 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +import time + +from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration import tasks + +WAIT_AFTER_ARCHIVE = 30 # give some time to replication + + +class TestInstallKRA(IntegrationTest): + """ + Test if vault feature behaves as expected, when KRA is installed or not + installed on replica + """ + num_replicas = 1 + topology = 'star' + + vault_password = "password" + vault_data = "SSBsb3ZlIENJIHRlc3RzCg==" + vault_name_master = "ci_test_vault_master" + vault_name_master2 = "ci_test_vault_master2" + vault_name_master3 = "ci_test_vault_master3" + vault_name_replica_without_KRA = "ci_test_vault_replica_without_kra" + vault_name_replica_with_KRA = "ci_test_vault_replica_with_kra" + vault_name_replica_KRA_uninstalled = "ci_test_vault_replica_KRA_uninstalled" + + + @classmethod + def install(cls, mh): + tasks.install_master(cls.master, setup_kra=True) + # do not install KRA on replica, it is part of test + tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False) + + def _retrieve_secret(self, vault_names=[]): + # try to retrieve secret from vault on both master and replica + for vault_name in vault_names: + self.master.run_command([ + "ipa", "vault-retrieve", + vault_name, + "--password", self.vault_password, + ]) + + self.replicas[0].run_command([ + "ipa", "vault-retrieve", + vault_name, + "--password", self.vault_password, + ]) + + def test_create_and_retrieve_vault_master(self): + # create vault + self.master.run_command([ + "ipa", "vault-add", + self.vault_name_master, + "--password", self.vault_password, + "--type", "symmetric", + ]) + + # archive secret + self.master.run_command([ + "ipa", "vault-archive", + self.vault_name_master, + "--password", self.vault_password, + "--data", self.vault_data, + ]) + time.sleep(WAIT_AFTER_ARCHIVE) + + self._retrieve_secret([self.vault_name_master]) + + def test_create_and_retrieve_vault_replica_without_kra(self): + # create vault + self.replicas[0].run_command([ + "ipa", "vault-add", + self.vault_name_replica_without_KRA, + "--password", self.vault_password, + "--type", "symmetric", + ]) + + # archive secret + self.replicas[0].run_command([ + "ipa", "vault-archive", + self.vault_name_replica_without_KRA, + "--password", self.vault_password, + "--data", self.vault_data, + ]) + time.sleep(WAIT_AFTER_ARCHIVE) + + self._retrieve_secret([self.vault_name_replica_without_KRA]) + + def test_create_and_retrieve_vault_replica_with_kra(self): + + # install KRA on replica + self.replicas[0].run_command([ + "ipa-kra-install", + tasks.get_replica_filename(self.replicas[0]), + "-p", self.replicas[0].config.dirman_password, + "-U", + ]) + + # create vault + self.replicas[0].run_command([ + "ipa", "vault-add", + self.vault_name_replica_with_KRA, + "--password", self.vault_password, + "--type", "symmetric", + ]) + + # archive secret + self.replicas[0].run_command([ + "ipa", "vault-archive", + self.vault_name_replica_with_KRA, + "--password", self.vault_password, + "--data", self.vault_data, + ]) + time.sleep(WAIT_AFTER_ARCHIVE) + + self._retrieve_secret([self.vault_name_replica_with_KRA]) + + ################# master ################# + # test master again after KRA was installed on replica + # create vault + self.master.run_command([ + "ipa", "vault-add", + self.vault_name_master2, + "--password", self.vault_password, + "--type", "symmetric", + ]) + + # archive secret + self.master.run_command([ + "ipa", "vault-archive", + self.vault_name_master2, + "--password", self.vault_password, + "--data", self.vault_data, + ]) + time.sleep(WAIT_AFTER_ARCHIVE) + + self._retrieve_secret([self.vault_name_master2]) + + ################ old vaults ############### + # test if old vaults are still accessible + self._retrieve_secret([ + self.vault_name_master, + self.vault_name_replica_without_KRA, + ]) + + + def test_create_and_retrieve_vault_after_kra_uninstall_on_replica(self): + # uninstall KRA on replica + self.replicas[0].run_command([ + "ipa-kra-install", + "-U", + "--uninstall", + ]) + + # create vault + self.replicas[0].run_command([ + "ipa", "vault-add", + self.vault_name_replica_KRA_uninstalled, + "--password", self.vault_password, + "--type", "symmetric", + ]) + + # archive secret + self.replicas[0].run_command([ + "ipa", "vault-archive", + self.vault_name_replica_KRA_uninstalled, + "--password", self.vault_password, + "--data", self.vault_data, + ]) + time.sleep(WAIT_AFTER_ARCHIVE) + + self._retrieve_secret([self.vault_name_replica_KRA_uninstalled]) + + ################# master ################# + # test master again after KRA was uninstalled on replica + # create vault + self.master.run_command([ + "ipa", "vault-add", + self.vault_name_master3, + "--password", self.vault_password, + "--type", "symmetric", + ]) + + # archive secret + self.master.run_command([ + "ipa", "vault-archive", + self.vault_name_master3, + "--password", self.vault_password, + "--data", self.vault_data, + ]) + time.sleep(WAIT_AFTER_ARCHIVE) + + self._retrieve_secret([self.vault_name_master3,]) + + ################ old vaults ############### + # test if old vaults are still accessible + self._retrieve_secret([ + self.vault_name_master, + self.vault_name_master2, + self.vault_name_replica_without_KRA, + self.vault_name_replica_with_KRA, + ]) -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
