From 0770d8a004db41d24f1c3f41e108a2bfd580a822 Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Mar 28 2019 16:57:58 +0000
Subject: ipatests: Exercise hidden replica feature


A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.

Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>
Signed-off-by: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>

---

diff --git a/ipatests/prci_definitions/nightly_f28.yaml b/ipatests/prci_definitions/nightly_f28.yaml
index fee3321..4eb2c07 100644
--- a/ipatests/prci_definitions/nightly_f28.yaml
+++ b/ipatests/prci_definitions/nightly_f28.yaml
@@ -772,6 +772,18 @@ jobs:
         timeout: 7200
         topology: *master_1repl
 
+  fedora-28/test_replica_promotion_TestHiddenReplicaPromotion:
+    requires: [fedora-28/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion
+        template: *ci-master-f28
+        timeout: 7200
+        topology: *master_2repl_1client
+
   fedora-28/test_upgrade:
     requires: [fedora-28/build]
     priority: 50
diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml
index 39dca47..7f00204 100644
--- a/ipatests/prci_definitions/nightly_master.yaml
+++ b/ipatests/prci_definitions/nightly_master.yaml
@@ -772,6 +772,18 @@ jobs:
         timeout: 7200
         topology: *master_1repl
 
+  fedora-29/test_replica_promotion_TestHiddenReplicaPromotion:
+    requires: [fedora-29/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-29/build_url}'
+        test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion
+        template: *ci-master-f29
+        timeout: 7200
+        topology: *master_2repl_1client
+
   fedora-29/test_upgrade:
     requires: [fedora-29/build]
     priority: 50
diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml
index ebf3cdd..2f79fb0 100644
--- a/ipatests/prci_definitions/nightly_rawhide.yaml
+++ b/ipatests/prci_definitions/nightly_rawhide.yaml
@@ -772,6 +772,18 @@ jobs:
         timeout: 7200
         topology: *master_1repl
 
+  fedora-rawhide/test_replica_promotion_TestHiddenReplicaPromotion:
+    requires: [fedora-rawhide/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-rawhide/build_url}'
+        test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion
+        template: *ci-master-frawhide
+        timeout: 7200
+        topology: *master_2repl_1client
+
   fedora-rawhide/test_upgrade:
     requires: [fedora-rawhide/build]
     priority: 50
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index c6e3550..cca2d7b 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -17,6 +17,12 @@ from ipalib.constants import (
     DOMAIN_LEVEL_1, IPA_CA_NICKNAME)
 from ipaplatform.paths import paths
 from ipapython import certdb
+from ipatests.test_integration.test_backup_and_restore import backup
+from ipatests.test_integration.test_dns_locations import (
+    resolve_records_from_server
+)
+# pylint: disable=unused-import
+from ipatests.test_integration.test_dns_locations import logger
 
 config = get_global_config()
 
@@ -713,3 +719,113 @@ class TestReplicaInForwardZone(IntegrationTest):
             # Restore /etc/hosts on master and replica
             restore_etc_hosts(master)
             restore_etc_hosts(replica)
+
+
+class TestHiddenReplicaPromotion(IntegrationTest):
+    """
+    Test hidden replica features
+    """
+
+    topology = 'star'
+    num_replicas = 1
+
+    @classmethod
+    def install(cls, mh):
+        tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
+
+    @replicas_cleanup
+    def test_hidden_replica_install(self):
+        self.replicas[0].run_command([
+            'ipa-client-install',
+            '-p', 'admin',
+            '-w', self.master.config.admin_password,
+            '--domain', self.master.domain.name,
+            '--realm', self.master.domain.realm,
+            '--server', self.master.hostname,
+            '-U'
+        ])
+        self.replicas[0].run_command([
+            'ipa-replica-install', '-w',
+            self.master.config.admin_password,
+            '-n', self.master.domain.name,
+            '-r', self.master.domain.realm,
+            '--server', self.master.hostname,
+            '--setup-ca',
+            '--setup-dns', '--no-forwarders',
+            '--hidden-replica',
+            '--setup-kra',
+            '-U'
+        ])
+        expected_txt = 'hidden'
+        result = self.replicas[0].run_command([
+            'ipa', 'ipa server-role-find',
+            '--server', self.replicas[0].hostname
+        ])
+        assert expected_txt in result.stdout
+        dnsrecords = {
+            '.'.join(('_kerberos._udp', self.master.domain.name)): 'SRV',
+            '.'.join(('_kerberos._tcp', self.master.domain.name)): 'SRV',
+            '.'.join(('_ldap._tcp', self.master.domain.name)): 'SRV',
+            self.master.domain.name: 'NS'
+        }
+        nameserver = self.master.ip
+        results = []
+        for record in dnsrecords:
+            srvr = resolve_records_from_server(
+                record, dnsrecords[record], nameserver
+            )
+            results.extend(re.findall(
+                '|'.join((self.master.hostname, self.replicas[0].hostname)),
+                srvr)
+            )
+        assert self.master.hostname in results
+        assert self.replicas[0].hostname not in results
+
+    def test_hidden_replica_promote(self):
+        self.replicas[0].run_command([
+            'ipa', 'server-mod', '--state=enabled'
+        ])
+        unexpected_txt = 'hidden'
+        result = self.replicas[0].run_command([
+            'ipa', 'ipa server-role-find',
+            '--server', self.replicas[0].hostname
+        ])
+        assert unexpected_txt not in result.stdout
+
+    def test_hidden_replica_demote(self):
+        self.replicas[0].run_command([
+            'ipa', 'server-mod', '--state=hidden'
+        ])
+        expected_txt = 'hidden'
+        result = self.replicas[0].run_command([
+            'ipa', 'ipa server-role-find',
+            '--server', self.replicas[0].hostname
+        ])
+        assert expected_txt in result.stdout
+
+    def test_hidden_replica_backup_and_restore(self):
+        """
+        Exercises backup+restore and hidden replica uninstall
+        """
+        # set expectations
+        expected_txt = 'hidden'
+        result = self.replicas[0].run_command([
+            'ipa', 'ipa server-role-find',
+            '--server', self.replicas[0].hostname
+        ])
+        assert expected_txt in result.stdout
+        # backup
+        backup_path = backup(self.replicas[0])
+        # uninstall
+        result = self.replicas[0].run_command([
+            'ipa-server-uninstall', '-U', 'hidden-replica'
+        ])
+        # restore
+        dirman_password = self.master.config.dirman_password
+        self.replicas[0].run_command(
+            ['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes'
+        )
+        # check that the resulting server can be promoted to enabled
+        self.replicas[0].run_command([
+            'ipa', 'server-mod', '--state=enabled'
+        ])