IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
a709da6748
freeipa/ipatests/test_integration/test_vault.py
François Cami a709da6748 Add a shared-vault-retrieve test 
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691

Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 15:41:00 +01:00

206 lines
6.5 KiB
Python
Raw Blame History

#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
import time
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
WAIT_AFTER_ARCHIVE = 45 # give some time to replication
class TestInstallKRA(IntegrationTest):
"""
Test if vault feature behaves as expected, when KRA is installed or not
installed on replica
"""
num_replicas = 1
topology = 'star'
vault_password = "password"
vault_data = "SSBsb3ZlIENJIHRlc3RzCg=="
vault_user = "vault_user"
vault_user_password = "vault_user_password"
vault_name_master = "ci_test_vault_master"
vault_name_master2 = "ci_test_vault_master2"
vault_name_master3 = "ci_test_vault_master3"
vault_name_replica_without_KRA = "ci_test_vault_replica_without_kra"
shared_vault_name_replica_without_KRA = ("ci_test_shared"
"_vault_replica_without_kra")
vault_name_replica_with_KRA = "ci_test_vault_replica_with_kra"
vault_name_replica_KRA_uninstalled = "ci_test_vault_replica_KRA_uninstalled"
@classmethod
def install(cls, mh):
tasks.install_master(cls.master, setup_kra=True)
# do not install KRA on replica, it is part of test
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
def _retrieve_secret(self, vault_names=[]):
# try to retrieve secret from vault on both master and replica
for vault_name in vault_names:
self.master.run_command([
"ipa", "vault-retrieve",
vault_name,
"--password", self.vault_password,
])
self.replicas[0].run_command([
"ipa", "vault-retrieve",
vault_name,
"--password", self.vault_password,
])
def test_create_and_retrieve_vault_master(self):
# create vault
self.master.run_command([
"ipa", "vault-add",
self.vault_name_master,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.master.run_command([
"ipa", "vault-archive",
self.vault_name_master,
"--password", self.vault_password,
"--data", self.vault_data,
])
time.sleep(WAIT_AFTER_ARCHIVE)
self._retrieve_secret([self.vault_name_master])
def test_create_and_retrieve_vault_replica_without_kra(self):
# create vault
self.replicas[0].run_command([
"ipa", "vault-add",
self.vault_name_replica_without_KRA,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.replicas[0].run_command([
"ipa", "vault-archive",
self.vault_name_replica_without_KRA,
"--password", self.vault_password,
"--data", self.vault_data,
])
time.sleep(WAIT_AFTER_ARCHIVE)
self._retrieve_secret([self.vault_name_replica_without_KRA])
def test_create_and_retrieve_shared_vault_replica_without_kra(self):
# create vault
self.replicas[0].run_command([
"ipa", "vault-add",
self.shared_vault_name_replica_without_KRA,
"--shared",
"--type", "standard",
])
# archive secret
self.replicas[0].run_command([
"ipa", "vault-archive",
self.shared_vault_name_replica_without_KRA,
"--shared",
"--data", self.vault_data,
])
time.sleep(WAIT_AFTER_ARCHIVE)
# add non-admin user
self.replicas[0].run_command([
'ipa', 'user-add', self.vault_user,
'--first', self.vault_user,
'--last', self.vault_user,
'--password'],
stdin_text=self.vault_user_password)
# add it to vault
self.replicas[0].run_command([
"ipa", "vault-add-member",
self.shared_vault_name_replica_without_KRA,
"--shared",
"--users", self.vault_user,
])
self.replicas[0].run_command([
'kdestroy', '-A'])
user_kinit = "%s\n%s\n%s\n" % (self.vault_user_password,
self.vault_user_password,
self.vault_user_password)
self.replicas[0].run_command([
'kinit', self.vault_user],
stdin_text=user_kinit)
# TODO: possibly refactor with:
# self._retrieve_secret([self.vault_name_replica_without_KRA])
self.replicas[0].run_command([
"ipa", "vault-retrieve",
"--shared",
self.shared_vault_name_replica_without_KRA,
"--out=test.txt"])
self.replicas[0].run_command([
'kdestroy', '-A'])
tasks.kinit_admin(self.replicas[0])
def test_create_and_retrieve_vault_replica_with_kra(self):
# install KRA on replica
tasks.install_kra(self.replicas[0], first_instance=False)
# create vault
self.replicas[0].run_command([
"ipa", "vault-add",
self.vault_name_replica_with_KRA,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.replicas[0].run_command([
"ipa", "vault-archive",
self.vault_name_replica_with_KRA,
"--password", self.vault_password,
"--data", self.vault_data,
])
time.sleep(WAIT_AFTER_ARCHIVE)
self._retrieve_secret([self.vault_name_replica_with_KRA])
################# master #################
# test master again after KRA was installed on replica
# create vault
self.master.run_command([
"ipa", "vault-add",
self.vault_name_master2,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.master.run_command([
"ipa", "vault-archive",
self.vault_name_master2,
"--password", self.vault_password,
"--data", self.vault_data,
])
time.sleep(WAIT_AFTER_ARCHIVE)
self._retrieve_secret([self.vault_name_master2])
################ old vaults ###############
# test if old vaults are still accessible
self._retrieve_secret([
self.vault_name_master,
self.vault_name_replica_without_KRA,
])
Reference in New Issue View Git Blame Copy Permalink