From f9804558bbe745df1141c84f00be83edcbe06c91 Mon Sep 17 00:00:00 2001 From: François Cami Date: Mar 26 2020 12:18:14 +0000 Subject: ipatests: test_replica_promotion.py: test KRA on Hidden Replica The Hidden replica tests did not test what happened when KRA was installed on a hidden replica and then other KRAs instantiated from this original one. Add a test scenario that covers this. Related: https://pagure.io/freeipa/issue/8240 Signed-off-by: François Cami Reviewed-By: Christian Heimes Reviewed-By: Michal Polovka --- diff --git a/ipatests/prci_definitions/nightly_latest.yaml b/ipatests/prci_definitions/nightly_latest.yaml index f60f676..bef6060 100644 --- a/ipatests/prci_definitions/nightly_latest.yaml +++ b/ipatests/prci_definitions/nightly_latest.yaml @@ -884,6 +884,18 @@ jobs: timeout: 7200 topology: *master_2repl_1client + fedora-latest/test_replica_promotion_TestHiddenReplicaKRA: + requires: [fedora-latest/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-latest/build_url}' + test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaKRA + template: *ci-master-latest + timeout: 7200 + topology: *master_2repl_1client + fedora-latest/test_upgrade: requires: [fedora-latest/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_latest_testing.yaml b/ipatests/prci_definitions/nightly_latest_testing.yaml index 2b635ef..8244ce9 100644 --- a/ipatests/prci_definitions/nightly_latest_testing.yaml +++ b/ipatests/prci_definitions/nightly_latest_testing.yaml @@ -940,6 +940,19 @@ jobs: timeout: 7200 topology: *master_2repl_1client + testing-fedora/test_replica_promotion_TestHiddenReplicaKRA: + requires: [testing-fedora/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{testing-fedora/build_url}' + update_packages: True + test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaKRA + template: *testing-master-latest + timeout: 7200 + topology: *master_2repl_1client + testing-fedora/test_upgrade: requires: [testing-fedora/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_previous.yaml b/ipatests/prci_definitions/nightly_previous.yaml index 6f2c180..43865ff 100644 --- a/ipatests/prci_definitions/nightly_previous.yaml +++ b/ipatests/prci_definitions/nightly_previous.yaml @@ -884,6 +884,18 @@ jobs: timeout: 7200 topology: *master_2repl_1client + fedora-previous/test_replica_promotion_TestHiddenReplicaKRA: + requires: [fedora-previous/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-previous/build_url}' + test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaKRA + template: *ci-master-previous + timeout: 7200 + topology: *master_2repl_1client + fedora-previous/test_upgrade: requires: [fedora-previous/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml index 4c03382..e12401a 100644 --- a/ipatests/prci_definitions/nightly_rawhide.yaml +++ b/ipatests/prci_definitions/nightly_rawhide.yaml @@ -953,6 +953,19 @@ jobs: timeout: 7200 topology: *master_2repl_1client + fedora-rawhide/test_replica_promotion_TestHiddenReplicaKRA: + requires: [fedora-rawhide/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-rawhide/build_url}' + update_packages: True + test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaKRA + template: *ci-master-frawhide + timeout: 7200 + topology: *master_2repl_1client + fedora-rawhide/test_upgrade: requires: [fedora-rawhide/build] priority: 50 diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index c06e061..d11976a 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -970,3 +970,63 @@ class TestHiddenReplicaPromotion(IntegrationTest): result = self.replicas[0].run_command([ 'ipa-crlgen-manage', 'status']) assert "CRL generation: enabled" in result.stdout_text + + +class TestHiddenReplicaKRA(IntegrationTest): + """Test KRA & hidden replica features. + """ + topology = 'star' + num_replicas = 2 + + @classmethod + def install(cls, mh): + tasks.install_master(cls.master, setup_dns=True, setup_kra=False) + # hidden replica with CA and DNS + tasks.install_replica( + cls.master, cls.replicas[0], + setup_dns=True, setup_kra=False, + extra_args=('--hidden-replica',) + ) + # normal replica with CA and DNS + tasks.install_replica( + cls.replicas[0], cls.replicas[1], + setup_dns=True, setup_kra=False + ) + + def test_install_kra_on_hidden_replica(self): + # manually install KRA on hidden replica. + tasks.install_kra(self.replicas[0]) + + @pytest.mark.xfail(reason='freeipa ticket 8240', strict=True) + def test_kra_hidden_no_preconfig(self): + """Test installing KRA on a replica when all KRAs are hidden. + https://pagure.io/freeipa/issue/8240 + """ + + result = tasks.install_kra(self.replicas[1], raiseonerr=False) + + if result.returncode == 0: + # If KRA installation was successful, the only clean-up possible is + # uninstalling the whole replica as hiding the last visible KRA + # member is inhibited by design. + # This step is necessary so that the next test runs with all KRA + # members hidden too. + tasks.uninstall_replica(self.master, self.replicas[1]) + + assert "Failed to find an active KRA server!" not in result.stderr_text + assert result.returncode == 0 + + def test_kra_hidden_temp(self): + """Test for workaround: temporarily un-hide the hidden replica. + https://pagure.io/freeipa/issue/8240 + """ + self.replicas[0].run_command([ + 'ipa', 'server-state', + self.replicas[0].hostname, '--state=enabled' + ]) + result = tasks.install_kra(self.master, raiseonerr=False) + self.replicas[0].run_command([ + 'ipa', 'server-state', + self.replicas[0].hostname, '--state=hidden' + ]) + assert result.returncode == 0