2015-10-06 13:26:01 -05:00
|
|
|
#
|
|
|
|
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
|
|
|
|
#
|
|
|
|
|
|
|
|
import time
|
|
|
|
|
|
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
|
|
from ipatests.test_integration import tasks
|
|
|
|
|
2016-02-24 09:31:33 -06:00
|
|
|
WAIT_AFTER_ARCHIVE = 30 # give some time to replication
|
2015-10-06 13:26:01 -05:00
|
|
|
|
|
|
|
|
|
|
|
class TestInstallKRA(IntegrationTest):
|
|
|
|
"""
|
|
|
|
Test if vault feature behaves as expected, when KRA is installed or not
|
|
|
|
installed on replica
|
|
|
|
"""
|
|
|
|
num_replicas = 1
|
|
|
|
topology = 'star'
|
|
|
|
|
|
|
|
vault_password = "password"
|
|
|
|
vault_data = "SSBsb3ZlIENJIHRlc3RzCg=="
|
|
|
|
vault_name_master = "ci_test_vault_master"
|
|
|
|
vault_name_master2 = "ci_test_vault_master2"
|
|
|
|
vault_name_master3 = "ci_test_vault_master3"
|
|
|
|
vault_name_replica_without_KRA = "ci_test_vault_replica_without_kra"
|
|
|
|
vault_name_replica_with_KRA = "ci_test_vault_replica_with_kra"
|
|
|
|
vault_name_replica_KRA_uninstalled = "ci_test_vault_replica_KRA_uninstalled"
|
|
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def install(cls, mh):
|
|
|
|
tasks.install_master(cls.master, setup_kra=True)
|
|
|
|
# do not install KRA on replica, it is part of test
|
|
|
|
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
|
|
|
|
|
|
|
|
def _retrieve_secret(self, vault_names=[]):
|
|
|
|
# try to retrieve secret from vault on both master and replica
|
|
|
|
for vault_name in vault_names:
|
|
|
|
self.master.run_command([
|
|
|
|
"ipa", "vault-retrieve",
|
|
|
|
vault_name,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
])
|
|
|
|
|
|
|
|
self.replicas[0].run_command([
|
|
|
|
"ipa", "vault-retrieve",
|
|
|
|
vault_name,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
])
|
|
|
|
|
|
|
|
def test_create_and_retrieve_vault_master(self):
|
|
|
|
# create vault
|
|
|
|
self.master.run_command([
|
|
|
|
"ipa", "vault-add",
|
|
|
|
self.vault_name_master,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--type", "symmetric",
|
|
|
|
])
|
|
|
|
|
|
|
|
# archive secret
|
|
|
|
self.master.run_command([
|
|
|
|
"ipa", "vault-archive",
|
|
|
|
self.vault_name_master,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--data", self.vault_data,
|
|
|
|
])
|
|
|
|
time.sleep(WAIT_AFTER_ARCHIVE)
|
|
|
|
|
|
|
|
self._retrieve_secret([self.vault_name_master])
|
|
|
|
|
|
|
|
def test_create_and_retrieve_vault_replica_without_kra(self):
|
|
|
|
# create vault
|
|
|
|
self.replicas[0].run_command([
|
|
|
|
"ipa", "vault-add",
|
|
|
|
self.vault_name_replica_without_KRA,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--type", "symmetric",
|
|
|
|
])
|
|
|
|
|
|
|
|
# archive secret
|
|
|
|
self.replicas[0].run_command([
|
|
|
|
"ipa", "vault-archive",
|
|
|
|
self.vault_name_replica_without_KRA,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--data", self.vault_data,
|
|
|
|
])
|
|
|
|
time.sleep(WAIT_AFTER_ARCHIVE)
|
|
|
|
|
|
|
|
self._retrieve_secret([self.vault_name_replica_without_KRA])
|
|
|
|
|
|
|
|
def test_create_and_retrieve_vault_replica_with_kra(self):
|
|
|
|
|
|
|
|
# install KRA on replica
|
2015-12-09 02:35:59 -06:00
|
|
|
tasks.install_kra(self.replicas[0], first_instance=False)
|
2015-10-06 13:26:01 -05:00
|
|
|
|
|
|
|
# create vault
|
|
|
|
self.replicas[0].run_command([
|
|
|
|
"ipa", "vault-add",
|
|
|
|
self.vault_name_replica_with_KRA,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--type", "symmetric",
|
|
|
|
])
|
|
|
|
|
|
|
|
# archive secret
|
|
|
|
self.replicas[0].run_command([
|
|
|
|
"ipa", "vault-archive",
|
|
|
|
self.vault_name_replica_with_KRA,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--data", self.vault_data,
|
|
|
|
])
|
|
|
|
time.sleep(WAIT_AFTER_ARCHIVE)
|
|
|
|
|
|
|
|
self._retrieve_secret([self.vault_name_replica_with_KRA])
|
|
|
|
|
|
|
|
################# master #################
|
|
|
|
# test master again after KRA was installed on replica
|
|
|
|
# create vault
|
|
|
|
self.master.run_command([
|
|
|
|
"ipa", "vault-add",
|
|
|
|
self.vault_name_master2,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--type", "symmetric",
|
|
|
|
])
|
|
|
|
|
|
|
|
# archive secret
|
|
|
|
self.master.run_command([
|
|
|
|
"ipa", "vault-archive",
|
|
|
|
self.vault_name_master2,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--data", self.vault_data,
|
|
|
|
])
|
|
|
|
time.sleep(WAIT_AFTER_ARCHIVE)
|
|
|
|
|
|
|
|
self._retrieve_secret([self.vault_name_master2])
|
|
|
|
|
|
|
|
################ old vaults ###############
|
|
|
|
# test if old vaults are still accessible
|
|
|
|
self._retrieve_secret([
|
|
|
|
self.vault_name_master,
|
|
|
|
self.vault_name_replica_without_KRA,
|
|
|
|
])
|
|
|
|
|
|
|
|
|
|
|
|
def test_create_and_retrieve_vault_after_kra_uninstall_on_replica(self):
|
|
|
|
# uninstall KRA on replica
|
|
|
|
self.replicas[0].run_command([
|
|
|
|
"ipa-kra-install",
|
|
|
|
"-U",
|
|
|
|
"--uninstall",
|
|
|
|
])
|
|
|
|
|
|
|
|
# create vault
|
|
|
|
self.replicas[0].run_command([
|
|
|
|
"ipa", "vault-add",
|
|
|
|
self.vault_name_replica_KRA_uninstalled,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--type", "symmetric",
|
|
|
|
])
|
|
|
|
|
|
|
|
# archive secret
|
|
|
|
self.replicas[0].run_command([
|
|
|
|
"ipa", "vault-archive",
|
|
|
|
self.vault_name_replica_KRA_uninstalled,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--data", self.vault_data,
|
|
|
|
])
|
|
|
|
time.sleep(WAIT_AFTER_ARCHIVE)
|
|
|
|
|
|
|
|
self._retrieve_secret([self.vault_name_replica_KRA_uninstalled])
|
|
|
|
|
|
|
|
################# master #################
|
|
|
|
# test master again after KRA was uninstalled on replica
|
|
|
|
# create vault
|
|
|
|
self.master.run_command([
|
|
|
|
"ipa", "vault-add",
|
|
|
|
self.vault_name_master3,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--type", "symmetric",
|
|
|
|
])
|
|
|
|
|
|
|
|
# archive secret
|
|
|
|
self.master.run_command([
|
|
|
|
"ipa", "vault-archive",
|
|
|
|
self.vault_name_master3,
|
|
|
|
"--password", self.vault_password,
|
|
|
|
"--data", self.vault_data,
|
|
|
|
])
|
|
|
|
time.sleep(WAIT_AFTER_ARCHIVE)
|
|
|
|
|
|
|
|
self._retrieve_secret([self.vault_name_master3,])
|
|
|
|
|
|
|
|
################ old vaults ###############
|
|
|
|
# test if old vaults are still accessible
|
|
|
|
self._retrieve_secret([
|
|
|
|
self.vault_name_master,
|
|
|
|
self.vault_name_master2,
|
|
|
|
self.vault_name_replica_without_KRA,
|
|
|
|
self.vault_name_replica_with_KRA,
|
|
|
|
])
|