Merge tag 'refs/tags/0.10.0' into stable

Release 0.10.0

9 files changed, 106 insertions, 76 deletions

diff --git a/tests/server-tests/helpers/couchdb_helper.rb b/tests/server-tests/helpers/couchdb_helper.rb
index efb2c2bf..0b6671ee 100644
--- a/tests/server-tests/helpers/couchdb_helper.rb
+++ b/tests/server-tests/helpers/couchdb_helper.rb
@@ -31,35 +31,6 @@ class LeapTest
   end
 
   #
-  # generates a couchdb url for accessing couchdb via haproxy
-  #
-  # example properties:
-  #
-  # haproxy:
-  #   couch:
-  #     listen_port: 4096
-  #     servers:
-  #       panda:
-  #         backup: false
-  #         host: localhost
-  #         port: 4000
-  #         weight: 100
-  #         writable: true
-  #
-  def couchdb_url_via_haproxy(path="", options=nil)
-    path = path.gsub('"', '%22')
-    if options && options[:username] && options[:password]
-      userpart = "%{username}:%{password}@" % options
-    else
-      userpart = ""
-    end
-    port = assert_property('haproxy.couch.listen_port')
-    return URLString.new("http://#{userpart}localhost:#{port}#{path}").tap { |url|
-      url.memo = '(via haproxy)'
-    }
-  end
-
-  #
   # generates a couchdb url for when couchdb is running locally.
   #
   # example properties:
@@ -140,4 +111,4 @@ class LeapTest
     end
   end
 
-end
\ No newline at end of file
+end
diff --git a/tests/server-tests/helpers/http_helper.rb b/tests/server-tests/helpers/http_helper.rb
index 0d0bb7d5..3a1df9e7 100644
--- a/tests/server-tests/helpers/http_helper.rb
+++ b/tests/server-tests/helpers/http_helper.rb
@@ -5,7 +5,7 @@ class LeapTest
   #
   # In order to easily provide detailed error messages, it is useful
   # to append a memo to a url string that details what this url is for
-  # (e.g. stunnel, haproxy, etc).
+  # (e.g. stunnel, etc).
   #
   # So, the url happens to be a UrlString, the memo field is used
   # if there is an error in assert_get.
@@ -154,4 +154,4 @@ class LeapTest
     request
   end
 
-end
\ No newline at end of file
+end
diff --git a/tests/server-tests/helpers/os_helper.rb b/tests/server-tests/helpers/os_helper.rb
index 9923d5b1..6a71388c 100644
--- a/tests/server-tests/helpers/os_helper.rb
+++ b/tests/server-tests/helpers/os_helper.rb
@@ -20,11 +20,29 @@ class LeapTest
     }.compact
   end
 
-  def assert_running(process, options={})
-    processes = pgrep(process)
-    assert processes.any?, "No running process for #{process}"
-    if options[:single]
-      assert processes.length == 1, "More than one process for #{process}"
+  #
+  # passes if the specified process is runnin.
+  #
+  # arguments:
+  #
+  #  match   => VALUE      -- scan process table for VALUE
+  #  service => VALUE      -- call systemctl is-active VALUE
+  #
+  #  single  => true|false -- if true, there must be one result
+  #
+  def assert_running(match:nil, service:nil, single:false)
+    if match
+      processes = pgrep(match)
+      assert processes.any?, "No running process for #{match}"
+      if single
+        assert processes.length == 1, "More than one process for #{match}"
+      end
+    elsif service
+      `systemctl is-active #{service} 2>&1`
+      if $?.exitstatus != 0
+        output = `systemctl status #{service} 2>&1`
+        fail "Service '#{service}' is not running:\n#{output}"
+      end
     end
   end
 
diff --git a/tests/server-tests/helpers/soledad_sync.py b/tests/server-tests/helpers/soledad_sync.py
index f4fc81ae..a92ec68f 100755
--- a/tests/server-tests/helpers/soledad_sync.py
+++ b/tests/server-tests/helpers/soledad_sync.py
@@ -27,6 +27,7 @@ os.environ['SKIP_TWISTED_SSL_CHECK'] = '1'
 
 from twisted.internet import defer, reactor
 from twisted.python import log
+from twisted.python.lockfile import FilesystemLock
 
 from client_side_db import get_soledad_instance
 from leap.common.events import flags
@@ -35,6 +36,7 @@ flags.set_events_enabled(False)
 
 NUMDOCS = 1
 USAGE = "Usage: %s uuid token server cert_file password" % sys.argv[0]
+SYNC_TIMEOUT = 60
 
 
 def bail(msg, exitcode):
@@ -42,6 +44,13 @@ def bail(msg, exitcode):
     sys.exit(exitcode)
 
 
+def obtain_lock():
+    scriptname = os.path.basename(__file__)
+    lockfile = os.path.join(tempfile.gettempdir(), scriptname + '.lock')
+    lock = FilesystemLock(lockfile)
+    return lock.lock()
+
+
 def create_docs(soledad):
     """
     Populates the soledad database with dummy messages, so we can exercise
@@ -64,16 +73,30 @@ if __name__ == '__main__':
     if len(sys.argv) < 6:
         bail(USAGE, 2)
 
+    if not obtain_lock():
+        bail("another instance is already running", 1)
+
     uuid, token, server, cert_file, passphrase = sys.argv[1:]
     s = get_soledad_instance(
         uuid, passphrase, tempdir, server, cert_file, token)
 
+    def syncWithTimeout(_):
+        d = s.sync()
+        reactor.callLater(SYNC_TIMEOUT, d.cancel)
+        return d
+
     def onSyncDone(sync_result):
         print "SYNC_RESULT:", sync_result
         s.close()
         rm_tempdir()
         reactor.stop()
 
+    def trap_cancel(f):
+        f.trap(defer.CancelledError)
+        log.err("sync timed out after %s seconds" % SYNC_TIMEOUT)
+        rm_tempdir()
+        reactor.stop()
+
     def log_and_exit(f):
         log.err(f)
         rm_tempdir()
@@ -81,8 +104,9 @@ if __name__ == '__main__':
 
     def start_sync():
         d = create_docs(s)
-        d.addCallback(lambda _: s.sync())
+        d.addCallback(syncWithTimeout)
         d.addCallback(onSyncDone)
+        d.addErrback(trap_cancel)
         d.addErrback(log_and_exit)
 
     reactor.callWhenRunning(start_sync)
diff --git a/tests/server-tests/white-box/couchdb.rb b/tests/server-tests/white-box/couchdb.rb
index 44a2769b..dcf71bc7 100644
--- a/tests/server-tests/white-box/couchdb.rb
+++ b/tests/server-tests/white-box/couchdb.rb
@@ -9,9 +9,9 @@ class CouchDB < LeapTest
   end
 
   def test_00_Are_daemons_running?
-    assert_running 'bin/beam'
+    assert_running match: 'bin/beam'
     if multimaster?
-      assert_running 'bin/epmd'
+      assert_running match: 'bin/epmd'
     end
     pass
   end
diff --git a/tests/server-tests/white-box/mx.rb b/tests/server-tests/white-box/mx.rb
index ecc8686c..dfad0eed 100644
--- a/tests/server-tests/white-box/mx.rb
+++ b/tests/server-tests/white-box/mx.rb
@@ -24,16 +24,6 @@ class Mx < LeapTest
     pass
   end
 
-  def test_02_Can_contact_couchdb_via_haproxy?
-    if property('haproxy.couch')
-      url = couchdb_url_via_haproxy("", couch_url_options)
-      assert_get(url) do |body|
-        assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
-      end
-      pass
-    end
-  end
-
   #
   # this test picks a random identity document, then queries
   # using the by_address view for that same document again.
@@ -52,17 +42,17 @@ class Mx < LeapTest
   end
 
   def test_04_Are_MX_daemons_running?
-    assert_running '.*/usr/bin/twistd.*mx.tac'
-    assert_running '^/usr/lib/postfix/master$'
-    assert_running '^/usr/sbin/postfwd'
-    assert_running 'postfwd2::cache$'
-    assert_running 'postfwd2::policy$'
-    assert_running '^/usr/sbin/unbound'
-    assert_running '^/usr/bin/freshclam'
-    assert_running '^/usr/sbin/opendkim'
+    assert_running match: '.*/usr/bin/twistd.*mx.tac'
+    assert_running match: '^/usr/lib/postfix/master$'
+    assert_running match: '^/usr/sbin/postfwd'
+    assert_running match: 'postfwd2::cache$'
+    assert_running match: 'postfwd2::policy$'
+    assert_running match: '^/usr/sbin/unbound'
+    assert_running match: '^/usr/bin/freshclam'
+    assert_running match: '^/usr/sbin/opendkim'
     if Dir.glob("/var/lib/clamav/main.{c[vl]d,inc}").size > 0 and Dir.glob("/var/lib/clamav/daily.{c[vl]d,inc}").size > 0
-      assert_running '^/usr/sbin/clamd'
-      assert_running '^/usr/sbin/clamav-milter'
+      assert_running match: '^/usr/sbin/clamd'
+      assert_running match: '^/usr/sbin/clamav-milter'
       pass
     else
       skip "Downloading the clamav signature files (/var/lib/clamav/{daily,main}.{c[vl]d,inc}) is still in progress, so clamd is not running."
diff --git a/tests/server-tests/white-box/openvpn.rb b/tests/server-tests/white-box/openvpn.rb
index d5cc2265..adda34a9 100644
--- a/tests/server-tests/white-box/openvpn.rb
+++ b/tests/server-tests/white-box/openvpn.rb
@@ -7,10 +7,46 @@ class OpenVPN < LeapTest
   end
 
   def test_01_Are_daemons_running?
-    assert_running '^/usr/sbin/openvpn .* /etc/openvpn/tcp_config.conf$'
-    assert_running '^/usr/sbin/openvpn .* /etc/openvpn/udp_config.conf$'
-    assert_running '^/usr/sbin/unbound'
+    assert_running match: '^/usr/sbin/openvpn .* /etc/openvpn/tcp_config.conf$'
+    assert_running match: '^/usr/sbin/openvpn .* /etc/openvpn/udp_config.conf$'
+    assert_running match: '^/usr/sbin/unbound'
     pass
   end
 
+  def test_02_Can_connect_to_openvpn?
+    # because of the way the firewall rules are currently set up, you can only
+    # connect to the standard 1194 openvpn port when you are connecting
+    # from the same host as openvpn is running on.
+    #
+    # so, this is disabled for now:
+    # $node['openvpn']['ports'].each {|port| ...}
+    #
+
+    $node['openvpn']['protocols'].each do |protocol|
+      assert_openvpn_is_bound_to_port($node['openvpn']['gateway_address'], protocol, 1194)
+    end
+    pass
+  end
+
+  private
+
+  #
+  # asserting succeeds if openvpn appears to be correctly bound and we can
+  # connect to it. we don't actually try to establish a vpn connection in this
+  # test, we just check to see that it sort of looks like it is openvpn running
+  # on the port.
+  #
+  def assert_openvpn_is_bound_to_port(ip_address, protocol, port)
+    protocol = protocol.downcase
+    if protocol == 'udp'
+      # this sends a magic string to openvpn to attempt to start the protocol.
+      nc_output = `/bin/echo -e "\\x38\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" | timeout 0.5 nc -u #{ip_address} #{port}`.strip
+      assert !nc_output.empty?, "Could not connect to OpenVPN daemon at #{ip_address} on port #{port} (#{protocol})."
+    elsif protocol == 'tcp'
+      assert system("openssl s_client -connect #{ip_address}:#{port} 2>&1 | grep -q CONNECTED"),
+        "Could not connect to OpenVPN daemon at #{ip_address} on port #{port} (#{protocol})."
+    else
+      assert false, "invalid openvpn protocol #{protocol}"
+    end
+  end
 end
diff --git a/tests/server-tests/white-box/soledad.rb b/tests/server-tests/white-box/soledad.rb
index 7c6918f9..112d6b9b 100644
--- a/tests/server-tests/white-box/soledad.rb
+++ b/tests/server-tests/white-box/soledad.rb
@@ -10,7 +10,7 @@ class Soledad < LeapTest
   end
 
   def test_00_Is_Soledad_running?
-    assert_running '/usr/bin/python /usr/bin/twistd --uid=soledad --gid=soledad --pidfile=/var/run/soledad.pid.*'
+    assert_running service: 'soledad-server'
     pass
   end
 
diff --git a/tests/server-tests/white-box/webapp.rb b/tests/server-tests/white-box/webapp.rb
index da1ec8c5..42adf219 100644
--- a/tests/server-tests/white-box/webapp.rb
+++ b/tests/server-tests/white-box/webapp.rb
@@ -4,6 +4,7 @@ require 'json'
 
 class Webapp < LeapTest
   depends_on "Network"
+  depends_on "Soledad" if service?(:soledad)
 
   def setup
   end
@@ -16,19 +17,9 @@ class Webapp < LeapTest
     pass
   end
 
-  def test_02_Can_contact_couchdb_via_haproxy?
-    if property('haproxy.couch')
-      url = couchdb_url_via_haproxy("", url_options)
-      assert_get(url) do |body|
-        assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
-      end
-      pass
-    end
-  end
-
   def test_03_Are_daemons_running?
-    assert_running '^/usr/sbin/apache2'
-    assert_running '^ruby /usr/bin/nickserver'
+    assert_running match: '^/usr/sbin/apache2'
+    assert_running match: 'ruby /usr/bin/nickserver'
     pass
   end