diff options
author | elijah <elijah@riseup.net> | 2016-08-29 16:35:14 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2016-09-01 10:13:31 -0700 |
commit | 07c0e60e6bdc5b8bfe1f42f76dae9f0a79e7abb0 (patch) | |
tree | 9f79f8fbb207896dcfe38f24831d9b2b857199a4 /tests/white-box | |
parent | d5bac5850e4a895da5f9cfacb641fab15de1cf7b (diff) |
moved infrastructure tests run by `leap run` to tests/server-tests
Diffstat (limited to 'tests/white-box')
-rw-r--r-- | tests/white-box/couchdb.rb | 169 | ||||
-rw-r--r-- | tests/white-box/dummy.rb | 71 | ||||
-rw-r--r-- | tests/white-box/mx.rb | 271 | ||||
-rw-r--r-- | tests/white-box/network.rb | 90 | ||||
-rw-r--r-- | tests/white-box/openvpn.rb | 16 | ||||
-rw-r--r-- | tests/white-box/soledad.rb | 17 | ||||
-rw-r--r-- | tests/white-box/webapp.rb | 114 |
7 files changed, 0 insertions, 748 deletions
diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb deleted file mode 100644 index 44a2769b..00000000 --- a/tests/white-box/couchdb.rb +++ /dev/null @@ -1,169 +0,0 @@ -raise SkipTest unless service?(:couchdb) - -require 'json' - -class CouchDB < LeapTest - depends_on "Network" - - def setup - end - - def test_00_Are_daemons_running? - assert_running 'bin/beam' - if multimaster? - assert_running 'bin/epmd' - end - pass - end - - # - # check to make sure we can get welcome response from local couchdb - # - def test_01_Is_CouchDB_running? - assert_get(couchdb_url) do |body| - assert_match /"couchdb":"Welcome"/, body, "Could not get welcome message from #{couchdb_url}. Probably couchdb is not running." - end - pass - end - - # - # all configured nodes are in 'cluster_nodes' - # all nodes online and communicating are in 'all_nodes' - # - # this seems backward to me, so it might be the other way around. - # - def test_03_Are_configured_nodes_online? - return unless multimaster? - url = couchdb_url("/_membership", :username => 'admin') - assert_get(url) do |body| - response = JSON.parse(body) - nodes_configured_but_not_available = response['cluster_nodes'] - response['all_nodes'] - nodes_available_but_not_configured = response['all_nodes'] - response['cluster_nodes'] - if nodes_configured_but_not_available.any? - warn "These nodes are configured but not available:", nodes_configured_but_not_available - end - if nodes_available_but_not_configured.any? - warn "These nodes are available but not configured:", nodes_available_but_not_configured - end - if response['cluster_nodes'] == response['all_nodes'] - pass - end - end - end - - def test_04_Do_ACL_users_exist? - acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'webapp', 'replication'] - url = couchdb_backend_url("/_users/_all_docs", :username => 'admin') - assert_get(url) do |body| - response = JSON.parse(body) - assert_equal acl_users.count, response['total_rows'] - actual_users = response['rows'].map{|row| row['id'].sub(/^org.couchdb.user:/, '') } - assert_equal acl_users.sort, actual_users.sort - end - pass - end - - def test_05_Do_required_databases_exist? - dbs_that_should_exist = ["customers","identities","keycache","shared","tickets","users", "tmp_users"] - dbs_that_should_exist << "tokens_#{rotation_suffix}" - dbs_that_should_exist << "sessions_#{rotation_suffix}" - dbs_that_should_exist.each do |db_name| - url = couchdb_url("/"+db_name, :username => 'admin') - assert_get(url) do |body| - assert response = JSON.parse(body) - assert_equal db_name, response['db_name'] - end - end - pass - end - - # disable ACL enforcement, because it's a known issue with bigcouch - # and will only confuse the user - # see https://leap.se/code/issues/6030 for more details - # - ## for now, this just prints warnings, since we are failing these tests. - ## - - #def test_06_Is_ACL_enforced? - # ok = assert_auth_fail( - # couchdb_url('/users/_all_docs', :username => 'leap_mx'), - # {:limit => 1} - # ) - # ok = assert_auth_fail( - # couchdb_url('/users/_all_docs', :username => 'leap_mx'), - # {:limit => 1} - # ) && ok - # pass if ok - #end - - def test_07_Can_records_be_created? - record = DummyRecord.new - url = couchdb_url("/tokens_#{rotation_suffix}", :username => 'admin') - assert_post(url, record, :format => :json) do |body| - assert response = JSON.parse(body), "POST response should be JSON" - assert response["ok"], "POST response should be OK" - assert_delete(File.join(url, response["id"]), :rev => response["rev"]) do |body| - assert response = JSON.parse(body), "DELETE response should be JSON" - assert response["ok"], "DELETE response should be OK" - end - end - pass - end - - # - # This is not really a "test", just an attempt to make sure that - # the mx tests that fire off dummy emails don't fill up the - # storage db. - # - # mx tests can't run this because they don't have access to - # the storage db. - # - # This "test" is responsible for both creating the db if it does not - # exist, and destroying if it does. - # - # Yes, this is super hacky. Properly, we should add something to - # the soledad api to support create/delete of user storage dbs. - # - def test_99_Delete_mail_storage_used_in_mx_tests - user = find_user_by_login(TEST_EMAIL_USER) - if user - if user_db_exists?(user["id"]) - # keep the test email db from filling up: - assert_destroy_user_db(user["id"], :username => 'admin') - end - # either way, make sure we leave a db for the mx tests: - assert_create_user_db(user["id"], :username => 'admin') - end - silent_pass - end - - private - - def multimaster? - mode == "multimaster" - end - - def mode - assert_property('couch.mode') - end - - # TODO: admin port is hardcoded for now but should be configurable. - def couchdb_backend_url(path="", options={}) - options = {port: multimaster? && "5986"}.merge options - couchdb_url(path, options) - end - - def rotation_suffix - rotation_suffix = Time.now.utc.to_i / 2592000 # monthly - end - - require 'securerandom' - require 'digest/sha2' - class DummyRecord < Hash - def initialize - self['data'] = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '') - self['_id'] = Digest::SHA512.hexdigest(self['data']) - end - end - -end diff --git a/tests/white-box/dummy.rb b/tests/white-box/dummy.rb deleted file mode 100644 index a3e8ad68..00000000 --- a/tests/white-box/dummy.rb +++ /dev/null @@ -1,71 +0,0 @@ -# only run in the dummy case where there is no hiera.yaml file. -raise SkipTest unless $node["dummy"] - -class Robot - def can_shoot_lasers? - "OHAI!" - end - - def can_fly? - "YES!" - end -end - -class TestDummy < LeapTest - def setup - @robot = Robot.new - end - - def test_lasers - assert_equal "OHAI!", @robot.can_shoot_lasers? - pass - end - - def test_fly - refute_match /^no/i, @robot.can_fly? - pass - end - - def test_fail - fail "fail" - pass - end - - def test_01_will_be_skipped - skip "test this later" - pass - end - - def test_socket_failure - assert_tcp_socket('localhost', 900000) - pass - end - - def test_warn - block_test do - warn "not everything", "is a success or failure" - end - end - - # used to test extracting the proper caller even when in a block - def block_test - yield - end - - def test_socket_success - fork { - Socket.tcp_server_loop('localhost', 12345) do |sock, client_addrinfo| - begin - sock.write('hi') - ensure - sock.close - exit - end - end - } - sleep 0.2 - assert_tcp_socket('localhost', 12345) - pass - end - -end diff --git a/tests/white-box/mx.rb b/tests/white-box/mx.rb deleted file mode 100644 index 0eeaacd0..00000000 --- a/tests/white-box/mx.rb +++ /dev/null @@ -1,271 +0,0 @@ -raise SkipTest unless service?(:mx) - -require 'date' -require 'json' -require 'net/smtp' - -class Mx < LeapTest - depends_on "Network" - depends_on "Webapp" if service?(:webapp) - - def setup - end - - def test_01_Can_contact_couchdb? - dbs = ["identities"] - dbs.each do |db_name| - couchdb_urls("/"+db_name, couch_url_options).each do |url| - assert_get(url) do |body| - assert response = JSON.parse(body) - assert_equal db_name, response['db_name'] - end - end - end - pass - end - - def test_02_Can_contact_couchdb_via_haproxy? - if property('haproxy.couch') - url = couchdb_url_via_haproxy("", couch_url_options) - assert_get(url) do |body| - assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." - end - pass - end - end - - # - # this test picks a random identity document, then queries - # using the by_address view for that same document again. - # - def test_03_Can_query_identities_db? - ident = pick_random_identity - address = ident['address'] - url_base = %(/identities/_design/Identity/_view/by_address) - params = %(?include_docs=true&reduce=false&startkey="#{address}"&endkey="#{address}") - assert_get(couchdb_url(url_base+params, couch_url_options)) do |body| - assert response = JSON.parse(body) - assert record = response['rows'].first - assert_equal address, record['doc']['address'] - pass - end - end - - def test_04_Are_MX_daemons_running? - assert_running '.*/usr/bin/twistd.*mx.tac' - assert_running '^/usr/lib/postfix/master$' - assert_running '^/usr/sbin/postfwd' - assert_running 'postfwd2::cache$' - assert_running 'postfwd2::policy$' - assert_running '^/usr/sbin/unbound$' - assert_running '^/usr/bin/freshclam' - assert_running '^/usr/sbin/opendkim' - if Dir.glob("/var/lib/clamav/main.{c[vl]d,inc}").size > 0 and Dir.glob("/var/lib/clamav/daily.{c[vl]d,inc}").size > 0 - assert_running '^/usr/sbin/clamd' - assert_running '^/usr/sbin/clamav-milter' - pass - else - skip "Downloading the clamav signature files (/var/lib/clamav/{daily,main}.{c[vl]d,inc}) is still in progress, so clamd is not running." - end - end - - # - # TODO: test to make sure postmap returned the right result - # - def test_05_Can_postfix_query_leapmx? - ident = pick_random_identity(10, :with_public_key => true) - address = ident["address"] - - # - # virtual alias map: - # - # user@domain => 41c29a80a44f4775513c64ac9cab91b9@deliver.local - # - assert_run("postmap -v -q \"#{address}\" tcp:localhost:4242") - - # - # recipient access map: - # - # user@domain => [OK|REJECT|TEMP_FAIL] - # - # This map is queried by the mail server before delivery to the mail spool - # directory, and should check if the address is able to receive messages. - # Examples of reasons for denying delivery would be that the user is out of - # quota, is user, or have no pgp public key in the server. - # - # NOTE: in the future, when we support quota, we need to make sure that - # we don't randomly pick a user for this test that happens to be over quota. - # - assert_run("postmap -v -q \"#{address}\" tcp:localhost:2244") - - # - # certificate validity map: - # - # fa:2a:70:1f:d8:16:4e:1a:3b:15:c1:67:00:f0 => [200|500] - # - # Determines whether a particular SMTP client cert is authorized - # to relay mail, based on the fingerprint. - # - if ident["cert_fingerprints"] - not_expired = ident["cert_fingerprints"].select {|key, value| - Time.now.utc < DateTime.strptime("2016-01-03", "%F").to_time.utc - } - if not_expired.any? - fingerprint = not_expired.first - assert_run("postmap -v -q #{fingerprint} tcp:localhost:2424") - end - end - - pass - end - - # - # The email sent by this test might get bounced back. - # In this case, the test will pass, but the bounce message will - # get sent to root, so the sysadmin will still figure out pretty - # quickly that something is wrong. - # - def test_05_Can_deliver_email? - if pgrep('^/usr/sbin/clamd').empty? || pgrep('^/usr/sbin/clamav-milter').empty? - skip "Mail delivery is being deferred because clamav daemon is not running" - else - addr = [TEST_EMAIL_USER, property('domain.full_suffix')].join('@') - bad_addr = [TEST_BAD_USER, property('domain.full_suffix')].join('@') - - assert !identity_exists?(bad_addr), "the address #{bad_addr} must not exist." - if !identity_exists?(addr) - user = assert_create_user(TEST_EMAIL_USER, :monitor) - upload_public_key(user.id, TEST_EMAIL_PUBLIC_KEY) - end - assert identity_exists?(addr), "The identity #{addr} should have been created, but it doesn't exist yet." - assert_send_email(addr) - assert_raises(Net::SMTPError) do - send_email(bad_addr) - end - pass - end - end - - private - - def couch_url_options - { - :username => property('couchdb_leap_mx_user.username'), - :password => property('couchdb_leap_mx_user.password') - } - end - - # - # returns a random identity record that also has valid address - # and destination fields. - # - # options: - # - # * :with_public_key -- searches only for identities with public keys - # - # note to self: for debugging, here is the curl you want: - # curl --netrc "127.0.0.1:5984/identities/_design/Identity/_view/by_address?startkey=\"xxxx@leap.se\"&endkey=\"xxxx@leap.se\"&reduce=false&include_docs=true" - # - def pick_random_identity(tries=5, options={}) - assert_get(couchdb_url("/identities", couch_url_options)) do |body| - assert response = JSON.parse(body) - doc_count = response['doc_count'].to_i - if doc_count <= 1 - # the design document counts as one document. - skip "There are no identity documents yet." - else - # try repeatedly to get a valid doc - for i in 1..tries - offset = rand(doc_count) # pick a random document - url = couchdb_url("/identities/_all_docs?include_docs=true&limit=1&skip=#{offset}", couch_url_options) - assert_get(url) do |body| - assert response = JSON.parse(body) - record = response['rows'].first - if record['id'] =~ /_design/ - next - elsif record['doc'] && record['doc']['address'] - next if record['doc']['destination'].nil? || record['doc']['destination'].empty? - next if options[:with_public_key] && !record_has_key?(record) - return record['doc'] - else - fail "Identity document #{record['id']} is missing an address field. #{record['doc'].inspect}" - end - end - end - if options[:with_public_key] - skip "Could not find an Identity document with a public key for testing." - else - fail "Failed to find a valid Identity document (with address and destination)." - end - end - end - end - - def record_has_key?(record) - !record['doc']['keys'].nil? && - !record['doc']['keys'].empty? && - !record['doc']['keys']['pgp'].nil? && - !record['doc']['keys']['pgp'].empty? - end - - TEST_EMAIL_PUBLIC_KEY=<<HERE ------BEGIN PGP PUBLIC KEY BLOCK----- -mI0EVvzIKQEEAN4f8FOGntJGTTD+fFUQS6y/ihn6tYLtyGZZbCOd0t/9kHt/raoR -xEUks8rCOPMqHX+yeHsvDBtDyZYTvyhtfuWrBUbYGW+QZ4Pdvo+7NyLHPW0dKsCB -Czrx7pxqpq1oq+LpUFqpSfjJTfYaGVDNXrPK144a7Rox2+MCbgq3twnFABEBAAG0 -EiA8dGVzdF91c2VyX2VtYWlsPoi4BBMBAgAiBQJW/MgpAhsvBgsJCAcDAgYVCAIJ -CgsEFgIDAQIeAQIXgAAKCRAqYf65XmeSk0orBADUXjEiGnjzyBpXqaiVmJr4MyfP -IfKTK4a+4qvR+2fseD7hteF98m26i1YRI5omLp4/MnxGSpgKFKIuWIdkEiLg7IJc -pFZVdoDVufEtzbj9gmOHlnteksbCtuESyB0Hytsba4uS9afcTJdGiPNMHeniI/SY -UKcCcIrQmpNIoOA5OLiNBFb8yCkBBAC+WMUQ+FC6GQ+pyaWlwTRsBAT4+Tp8w9jD -7PK4xeEmVZDirP0VkW18UeQEueWJ63ia7wIGf1WyVH1tbvgVyRLsjT2cpKo8c6Ok -NkhfGfjTnUJPeBNy8734UDIdqZLXJl0z6Z1R0CfOjBqvV25kWUvMkz/NEgZBhE+c -m3JuZy1k7QARAQABiQE9BBgBAgAJBQJW/MgpAhsuAKgJECph/rleZ5KTnSAEGQEC -AAYFAlb8yCkACgkQsJSYitQUOv4w1wQAn3atI5EsmRyw6iC6UVWWJv/lKi1Priyt -DsrdH5xUmHUgp6VU8Pw9Y6G+sv50KLfbVQ1l+8/3B71TjadsOxh+PBPsEyYpK6WX -TVGy44IDvFWGyOod8tmfcFN9IpU5DmSk/vny9G7RK/nbnta2VnfZOzwm5i3cNkPr -FGPL1z0K3qs0VwP+M7BXdqBRSFDDBpG1J0TrZioEjvKeOsT/Ul8mbVt7HQpcN93I -wTO4uky0Woy2nb7SbTQw6wOpU54u7+5dSQ03ltUHg1owy6Y3CMOeFL+e9ALpAZAU -aMwY7zMFhqlPVZZMfdMLRsdLin67RIM+OJ6A925AM52bEQT1YwkQlP4mvQY= -=qclE ------END PGP PUBLIC KEY BLOCK----- -HERE - - TEST_EMAIL_PRIVATE_KEY = <<HERE ------BEGIN PGP PRIVATE KEY BLOCK----- -lQHYBFb8yCkBBADeH/BThp7SRk0w/nxVEEusv4oZ+rWC7chmWWwjndLf/ZB7f62q -EcRFJLPKwjjzKh1/snh7LwwbQ8mWE78obX7lqwVG2BlvkGeD3b6Puzcixz1tHSrA -gQs68e6caqataKvi6VBaqUn4yU32GhlQzV6zyteOGu0aMdvjAm4Kt7cJxQARAQAB -AAP8DTFfcE6UG1AioJDU6KZ9oCaGONHLuxmNaArSofDrR/ODA9rLAUlp22N5LEdJ -46NyOhXrEwHx2aK2k+vbVDbgrP4ZTH7GxIK/2KzmH4zX0fWUNsaRy94Q12lJegXH -sH2Im8Jjxu16YwGgFNTX1fCPqLB6WdQpf1796s6+/3PnCDcCAOXTCul3N7V5Yl+9 -N2Anupn+qNDXKT/kiKIZLHsMbo7EriGWReG3lLj1cOJPC6Nf0uOEri4ErSjFEadR -F2TNITsCAPdsZjc5RGppUXyBfxhQkAnZ0r+UT2meCH3g3EVh3W9SBrXNhwipNpW3 -bPzRjUCDtmA8EOvd93oPCZv4/tb50P8B/jC+QIZ3GncP1CFPSVDoIZ7OUU5M1330 -DP77vG1GxeQvYO/hlxL5/KdtTR6m5zlIuooDxUaNJz1w5/oVjlG3NZKpl7QSIDx0 -ZXN0X3VzZXJfZW1haWw+iLgEEwECACIFAlb8yCkCGy8GCwkIBwMCBhUIAgkKCwQW -AgMBAh4BAheAAAoJECph/rleZ5KTSisEANReMSIaePPIGlepqJWYmvgzJ88h8pMr -hr7iq9H7Z+x4PuG14X3ybbqLVhEjmiYunj8yfEZKmAoUoi5Yh2QSIuDsglykVlV2 -gNW58S3NuP2CY4eWe16SxsK24RLIHQfK2xtri5L1p9xMl0aI80wd6eIj9JhQpwJw -itCak0ig4Dk4nQHYBFb8yCkBBAC+WMUQ+FC6GQ+pyaWlwTRsBAT4+Tp8w9jD7PK4 -xeEmVZDirP0VkW18UeQEueWJ63ia7wIGf1WyVH1tbvgVyRLsjT2cpKo8c6OkNkhf -GfjTnUJPeBNy8734UDIdqZLXJl0z6Z1R0CfOjBqvV25kWUvMkz/NEgZBhE+cm3Ju -Zy1k7QARAQABAAP9HrUaGvdpqTwVx3cHyXUhId6GzCuuKyaP4mZoGeBCcaQS2vQR -YtiykwBwX/AlfwSFJmmHKB6EErWIA+QyaEFR/fO56cHD2TY3Ql0BGcuHIx3+9pkp -biPBZdiiGz7oa6k6GWsbKSksqwV8poSXV7qbn+Bjm2xCM4VnjNZIrFtL7fkCAMOf -e9yHBFoXfc175bkNXEUXrNS34kv2ODAlx6KyY+PS77D+nprpHpGCnLn77G+xH1Xi -qvX1Dr/iSQU5Tzsd+tcCAPkYZulaC/9itwme7wIT3ur+mdqMHymsCzv9193iLgjJ -9t7fARo18yB845hI9Xv7TwRcoyuSpfvuM05rCMRzydsCAOI1MZeKtZSogXVa9QTX -sVGZeCkrujSVOgsA3w48OLc2OrwZskDfx5QHfeJnumjQLut5qsnZ+1onj9P2dGdn -JaChe4kBPQQYAQIACQUCVvzIKQIbLgCoCRAqYf65XmeSk50gBBkBAgAGBQJW/Mgp -AAoJELCUmIrUFDr+MNcEAJ92rSORLJkcsOogulFVlib/5SotT64srQ7K3R+cVJh1 -IKelVPD8PWOhvrL+dCi321UNZfvP9we9U42nbDsYfjwT7BMmKSull01RsuOCA7xV -hsjqHfLZn3BTfSKVOQ5kpP758vRu0Sv5257WtlZ32Ts8JuYt3DZD6xRjy9c9Ct6r -NFcD/jOwV3agUUhQwwaRtSdE62YqBI7ynjrE/1JfJm1bex0KXDfdyMEzuLpMtFqM -tp2+0m00MOsDqVOeLu/uXUkNN5bVB4NaMMumNwjDnhS/nvQC6QGQFGjMGO8zBYap -T1WWTH3TC0bHS4p+u0SDPjiegPduQDOdmxEE9WMJEJT+Jr0G -=hvJM ------END PGP PRIVATE KEY BLOCK----- -HERE - -end diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb deleted file mode 100644 index a08cdfbe..00000000 --- a/tests/white-box/network.rb +++ /dev/null @@ -1,90 +0,0 @@ -require 'socket' -require 'openssl' - -raise SkipTest if $node["dummy"] - -class Network < LeapTest - - def setup - end - - def test_01_Can_connect_to_internet? - assert_get('http://www.google.com/images/srpr/logo11w.png') - pass - end - - # - # example properties: - # - # stunnel: - # ednp_clients: - # elk_9002: - # accept_port: 4003 - # connect: elk.dev.bitmask.i - # connect_port: 19002 - # couch_server: - # accept: 15984 - # connect: "127.0.0.1:5984" - # - def test_02_Is_stunnel_running? - ignore unless $node['stunnel'] - good_stunnel_pids = [] - release = `facter lsbmajdistrelease` - if release.to_i > 7 - # on jessie, there is only one stunnel proc running instead of 6 - expected = 1 - else - expected = 6 - end - $node['stunnel']['clients'].each do |stunnel_type, stunnel_configs| - stunnel_configs.each do |stunnel_name, stunnel_conf| - config_file_name = "/etc/stunnel/#{stunnel_name}.conf" - processes = pgrep(config_file_name) - assert_equal expected, processes.length, "There should be #{expected} stunnel processes running for `#{config_file_name}`" - good_stunnel_pids += processes.map{|ps| ps[:pid]} - assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' - assert_tcp_socket('localhost', port) - end - end - $node['stunnel']['servers'].each do |stunnel_name, stunnel_conf| - config_file_name = "/etc/stunnel/#{stunnel_name}.conf" - processes = pgrep(config_file_name) - assert_equal expected, processes.length, "There should be #{expected} stunnel processes running for `#{config_file_name}`" - good_stunnel_pids += processes.map{|ps| ps[:pid]} - assert accept_port = stunnel_conf['accept_port'], "Field `accept` must be present in property `stunnel.servers.#{stunnel_name}`" - assert_tcp_socket('localhost', accept_port) - assert connect_port = stunnel_conf['connect_port'], "Field `connect` must be present in property `stunnel.servers.#{stunnel_name}`" - assert_tcp_socket('localhost', connect_port, - "The local connect endpoint for stunnel `#{stunnel_name}` is unavailable.\n"+ - "This is probably caused by a daemon that died or failed to start on\n"+ - "port `#{connect_port}`, not stunnel itself.") - end - all_stunnel_pids = pgrep('/usr/bin/stunnel').collect{|process| process[:pid]}.uniq - assert_equal good_stunnel_pids.sort, all_stunnel_pids.sort, "There should not be any extra stunnel processes that are not configured in /etc/stunnel" - pass - end - - def test_03_Is_shorewall_running? - ignore unless File.exist?('/sbin/shorewall') - assert_run('/sbin/shorewall status') - pass - end - - THIRTY_DAYS = 60*60*24*30 - - def test_04_Are_server_certificates_valid? - cert_paths = ["/etc/x509/certs/leap_commercial.crt", "/etc/x509/certs/leap.crt"] - cert_paths.each do |cert_path| - if File.exist?(cert_path) - cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) - if Time.now > cert.not_after - fail "The certificate #{cert_path} expired on #{cert.not_after}" - elsif Time.now + THIRTY_DAYS > cert.not_after - fail "The certificate #{cert_path} will expire soon, on #{cert.not_after}" - end - end - end - pass - end - -end diff --git a/tests/white-box/openvpn.rb b/tests/white-box/openvpn.rb deleted file mode 100644 index 170d4503..00000000 --- a/tests/white-box/openvpn.rb +++ /dev/null @@ -1,16 +0,0 @@ -raise SkipTest unless service?(:openvpn) - -class OpenVPN < LeapTest - depends_on "Network" - - def setup - end - - def test_01_Are_daemons_running? - assert_running '^/usr/sbin/openvpn .* /etc/openvpn/tcp_config.conf$' - assert_running '^/usr/sbin/openvpn .* /etc/openvpn/udp_config.conf$' - assert_running '^/usr/sbin/unbound$' - pass - end - -end diff --git a/tests/white-box/soledad.rb b/tests/white-box/soledad.rb deleted file mode 100644 index d41bee58..00000000 --- a/tests/white-box/soledad.rb +++ /dev/null @@ -1,17 +0,0 @@ -raise SkipTest unless service?(:soledad) - -require 'json' - -class Soledad < LeapTest - depends_on "Network" - depends_on "CouchDB" if service?(:couchdb) - - def setup - end - - def test_00_Is_Soledad_running? - assert_running '.*/usr/bin/twistd.*--wsgi=leap.soledad.server.application' - pass - end - -end diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb deleted file mode 100644 index 40c234d6..00000000 --- a/tests/white-box/webapp.rb +++ /dev/null @@ -1,114 +0,0 @@ -raise SkipTest unless service?(:webapp) - -require 'json' - -class Webapp < LeapTest - depends_on "Network" - - def setup - end - - def test_01_Can_contact_couchdb? - url = couchdb_url("", url_options) - assert_get(url) do |body| - assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." - end - pass - end - - def test_02_Can_contact_couchdb_via_haproxy? - if property('haproxy.couch') - url = couchdb_url_via_haproxy("", url_options) - assert_get(url) do |body| - assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." - end - pass - end - end - - def test_03_Are_daemons_running? - assert_running '^/usr/sbin/apache2' - assert_running '^/usr/bin/ruby /usr/bin/nickserver' - pass - end - - # - # this is technically a black-box test. so, move this when we have support - # for black box tests. - # - def test_04_Can_access_webapp? - assert_get('https://' + $node['webapp']['domain'] + '/') - pass - end - - def test_05_Can_create_and_authenticate_and_delete_user_via_API? - if property('webapp.allow_registration') - assert_tmp_user - pass - else - skip "New user registrations are disabled." - end - end - - def test_06_Can_sync_Soledad? - return unless property('webapp.allow_registration') - soledad_config = property('definition_files.soledad_service') - if soledad_config && !soledad_config.empty? - soledad_server = pick_soledad_server(soledad_config) - if soledad_server - assert_tmp_user do |user| - command = File.expand_path "../../helpers/soledad_sync.py", __FILE__ - soledad_url = "https://#{soledad_server}/user-#{user.id}" - soledad_cert = "/usr/local/share/ca-certificates/leap_ca.crt" - assert_run "#{command} #{user.id} #{user.session_token} #{soledad_url} #{soledad_cert} #{user.password}" - assert_user_db_privileges(user) - pass - end - end - else - skip 'No soledad service configuration' - end - end - - private - - def url_options - { - :username => property('webapp.couchdb_webapp_user.username'), - :password => property('webapp.couchdb_webapp_user.password') - } - end - - # - # pick a random soledad server. - # I am not sure why, but using IP address directly does not work. - # - def pick_soledad_server(soledad_config_json_str) - soledad_config = JSON.parse(soledad_config_json_str) - host_name = soledad_config['hosts'].keys.shuffle.first - if host_name - hostname = soledad_config['hosts'][host_name]['hostname'] - port = soledad_config['hosts'][host_name]['port'] - return "#{hostname}:#{port}" - else - return nil - end - end - - # - # checks if user db exists and is properly protected - # - def assert_user_db_privileges(user) - db_name = "/user-#{user.id}" - get(couchdb_url(db_name)) do |body, response, error| - code = response.code.to_i - assert code != 404, "Could not find user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}" - # After moving to couchdb, webapp user is not allowed to Read user dbs, - # but the return code for non-existent databases is 404. See #7674 - # 401 should come as we aren't supposed to have read privileges on it. - assert code != 200, "Incorrect security settings (design doc) on user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}" - assert code == 401, "Unknown error on user db on user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}" - end - end - -end |