diff options
| -rwxr-xr-x | bin/run_tests | 20 | ||||
| -rw-r--r-- | provider_base/common.json | 4 | ||||
| m--------- | puppet/modules/couchdb | 0 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/init.pp | 80 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/mirror.pp | 3 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/stunnel/server.pp | 2 | ||||
| -rw-r--r-- | tests/white-box/couchdb.rb | 58 | ||||
| -rw-r--r-- | tests/white-box/network.rb | 33 |
8 files changed, 127 insertions, 73 deletions
diff --git a/bin/run_tests b/bin/run_tests index 3ba89684..2ee027f4 100755 --- a/bin/run_tests +++ b/bin/run_tests @@ -133,7 +133,11 @@ class LeapTest < MiniTest::Unit::TestCase http.use_ssl = true end http.start do |agent| - response = agent.get(uri.request_uri) + request = Net::HTTP::Get.new uri.request_uri + if uri.user + request.basic_auth uri.user, uri.password + end + response = agent.request(request) if response.is_a?(Net::HTTPSuccess) yield response.body, response, nil else @@ -158,6 +162,20 @@ class LeapTest < MiniTest::Unit::TestCase end # + # only a warning for now, should be a failure in the future + # + def assert_auth_fail(url, params) + uri = URI(url) + get(url, params) do |body, response, error| + unless response.code.to_s == "401" + warn "Expected a '401 Unauthorized' response, but got #{response.code} instead (GET #{uri.request_uri} with username '#{uri.user}')." + return false + end + end + true + end + + # # test if a socket can be connected to # diff --git a/provider_base/common.json b/provider_base/common.json index dcd018d8..87af2152 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -29,8 +29,8 @@ "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil", "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", "ca_cert": "= try_file :ca_cert", - "commercial_cert": "= x509.use_commercial ? file([:commercial_cert, webapp.domain], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.') : nil", - "commercial_key": "= x509.use_commercial ? file([:commercial_key, webapp.domain], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.') : nil", + "commercial_cert": "= x509.use_commercial ? file([:commercial_cert, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.') : nil", + "commercial_key": "= x509.use_commercial ? file([:commercial_key, try{webapp.domain}||domain.full_suffix], :missing => 'commercial x509 certificate for node $node. Add file $file, or run `leap cert csr` to generate a temporary self-signed cert and CSR you can use to purchase a real cert.') : nil", "commercial_ca_cert": "= x509.use_commercial ? try_file(:commercial_ca_cert) : nil" }, "service_type": "internal_service", diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject c8f5443e0998d3d3d43505ff5a6fdf8c438d6c2 +Subproject 8bc5ed434c124457b7467140152602c67a9547c diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6f7e974e..5a4fb936 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,46 +1,46 @@ class site_couchdb { tag 'leap_service' - $couchdb_config = hiera('couch') - $couchdb_users = $couchdb_config['users'] - - $couchdb_admin = $couchdb_users['admin'] - $couchdb_admin_user = $couchdb_admin['username'] - $couchdb_admin_pw = $couchdb_admin['password'] - $couchdb_admin_salt = $couchdb_admin['salt'] - - $couchdb_leap_mx = $couchdb_users['leap_mx'] - $couchdb_leap_mx_user = $couchdb_leap_mx['username'] - $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] - $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] - - $couchdb_nickserver = $couchdb_users['nickserver'] - $couchdb_nickserver_user = $couchdb_nickserver['username'] - $couchdb_nickserver_pw = $couchdb_nickserver['password'] - $couchdb_nickserver_salt = $couchdb_nickserver['salt'] - - $couchdb_soledad = $couchdb_users['soledad'] - $couchdb_soledad_user = $couchdb_soledad['username'] - $couchdb_soledad_pw = $couchdb_soledad['password'] - $couchdb_soledad_salt = $couchdb_soledad['salt'] - - $couchdb_tapicero = $couchdb_users['tapicero'] - $couchdb_tapicero_user = $couchdb_tapicero['username'] - $couchdb_tapicero_pw = $couchdb_tapicero['password'] - $couchdb_tapicero_salt = $couchdb_tapicero['salt'] - - $couchdb_webapp = $couchdb_users['webapp'] - $couchdb_webapp_user = $couchdb_webapp['username'] - $couchdb_webapp_pw = $couchdb_webapp['password'] - $couchdb_webapp_salt = $couchdb_webapp['salt'] - - $couchdb_replication = $couchdb_users['replication'] - $couchdb_replication_user= $couchdb_replication['username'] - $couchdb_replication_pw = $couchdb_replication['password'] - $couchdb_replication_salt= $couchdb_replication['salt'] - - $couchdb_backup = $couchdb_config['backup'] - $couchdb_mode = $couchdb_config['mode'] + $couchdb_config = hiera('couch') + $couchdb_users = $couchdb_config['users'] + + $couchdb_admin = $couchdb_users['admin'] + $couchdb_admin_user = $couchdb_admin['username'] + $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_admin_salt = $couchdb_admin['salt'] + + $couchdb_leap_mx = $couchdb_users['leap_mx'] + $couchdb_leap_mx_user = $couchdb_leap_mx['username'] + $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] + $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] + + $couchdb_nickserver = $couchdb_users['nickserver'] + $couchdb_nickserver_user = $couchdb_nickserver['username'] + $couchdb_nickserver_pw = $couchdb_nickserver['password'] + $couchdb_nickserver_salt = $couchdb_nickserver['salt'] + + $couchdb_soledad = $couchdb_users['soledad'] + $couchdb_soledad_user = $couchdb_soledad['username'] + $couchdb_soledad_pw = $couchdb_soledad['password'] + $couchdb_soledad_salt = $couchdb_soledad['salt'] + + $couchdb_tapicero = $couchdb_users['tapicero'] + $couchdb_tapicero_user = $couchdb_tapicero['username'] + $couchdb_tapicero_pw = $couchdb_tapicero['password'] + $couchdb_tapicero_salt = $couchdb_tapicero['salt'] + + $couchdb_webapp = $couchdb_users['webapp'] + $couchdb_webapp_user = $couchdb_webapp['username'] + $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] + + $couchdb_replication = $couchdb_users['replication'] + $couchdb_replication_user = $couchdb_replication['username'] + $couchdb_replication_pw = $couchdb_replication['password'] + $couchdb_replication_salt = $couchdb_replication['salt'] + + $couchdb_backup = $couchdb_config['backup'] + $couchdb_mode = $couchdb_config['mode'] if $couchdb_mode == "multimaster" { include site_couchdb::bigcouch } if $couchdb_mode == "master" { include site_couchdb::master } diff --git a/puppet/modules/site_couchdb/manifests/mirror.pp b/puppet/modules/site_couchdb/manifests/mirror.pp index 1cbd9bcc..abe35c4c 100644 --- a/puppet/modules/site_couchdb/manifests/mirror.pp +++ b/puppet/modules/site_couchdb/manifests/mirror.pp @@ -1,5 +1,8 @@ class site_couchdb::mirror { + Class['site_couchdb::add_users'] + -> Class['site_couchdb::mirror'] + class { 'couchdb': admin_pw => $site_couchdb::couchdb_admin_pw, admin_salt => $site_couchdb::couchdb_admin_salt, diff --git a/puppet/modules/site_shorewall/manifests/stunnel/server.pp b/puppet/modules/site_shorewall/manifests/stunnel/server.pp index db3ecd3e..798cd631 100644 --- a/puppet/modules/site_shorewall/manifests/stunnel/server.pp +++ b/puppet/modules/site_shorewall/manifests/stunnel/server.pp @@ -12,7 +12,7 @@ define site_shorewall::stunnel::server($port) { require => Package['shorewall'] } shorewall::rule { - 'net2fw-couchdb': + "net2fw-stunnel-server-${name}": source => 'net', destination => '$FW', action => "stunnel_server_${name}(ACCEPT)", diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb index 9d5da94f..74bd47bf 100644 --- a/tests/white-box/couchdb.rb +++ b/tests/white-box/couchdb.rb @@ -10,8 +10,10 @@ class CouchDB < LeapTest def test_00_Are_daemons_running? assert_running 'tapicero' - assert_running 'bin/beam' - assert_running 'bin/epmd' + if multimaster? + assert_running 'bin/beam' + assert_running 'bin/epmd' + end pass end @@ -29,6 +31,7 @@ class CouchDB < LeapTest # compare the configured nodes to the nodes that are actually listed in bigcouch # def test_02_Is_cluster_membership_ok? + return unless multimaster? url = couchdb_backend_url("/nodes/_all_docs") neighbors = assert_property('couch.bigcouch.neighbors') neighbors << assert_property('domain.full') @@ -48,7 +51,8 @@ class CouchDB < LeapTest # this seems backward to me, so it might be the other way around. # def test_03_Are_configured_nodes_online? - url = couchdb_url("/_membership") + return unless multimaster? + url = couchdb_url("/_membership", :user => 'admin') assert_get(url) do |body| response = JSON.parse(body) nodes_configured_but_not_available = response['cluster_nodes'] - response['all_nodes'] @@ -66,11 +70,11 @@ class CouchDB < LeapTest end def test_04_Do_ACL_users_exist? - acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'tapicero', 'webapp'] + acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'tapicero', 'webapp', 'replication'] url = couchdb_backend_url("/_users/_all_docs") assert_get(url) do |body| response = JSON.parse(body) - assert_equal 6, response['total_rows'] + assert_equal acl_users.count, response['total_rows'] actual_users = response['rows'].map{|row| row['id'].sub(/^org.couchdb.user:/, '') } assert_equal acl_users.sort, actual_users.sort end @@ -88,22 +92,54 @@ class CouchDB < LeapTest pass end + # + # for now, this just prints warnings, since we are failing these tests. + # + def test_06_Is_ACL_enforced? + ok = assert_auth_fail( + couchdb_url('/users/_all_docs', :user => 'leap_mx'), + {:limit => 1} + ) + ok = assert_auth_fail( + couchdb_url('/users/_all_docs', :user => 'leap_mx'), + {:limit => 1} + ) && ok + pass if ok + end + + def test_07_What? + pass + end + private - def couchdb_url(path="", port=nil) + def couchdb_url(path="", options=nil) + options||={} @port ||= begin assert_property 'couch.port' $node['couch']['port'] end - @password ||= begin - assert_property 'couch.users.admin.password' - $node['couch']['users']['admin']['password'] + url = 'http://' + if options[:user] + assert_property 'couch.users.' + options[:user] + password = $node['couch']['users'][options[:user]]['password'] + url += "%s:%s@" % [options[:user], password] end - "http://admin:#{@password}@localhost:#{port || @port}#{path}" + url += "localhost:#{options[:port] || @port}#{path}" + url end def couchdb_backend_url(path="") - couchdb_url(path, "5986") # TODO: admin port is hardcoded for now but should be configurable. + # TODO: admin port is hardcoded for now but should be configurable. + couchdb_url(path, multimaster? && "5986") + end + + def multimaster? + mode == "multimaster" + end + + def mode + assert_property('couch.mode') end end diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb index e0b0339d..118861a7 100644 --- a/tests/white-box/network.rb +++ b/tests/white-box/network.rb @@ -28,29 +28,26 @@ class Network < LeapTest def test_02_Is_stunnel_running? if $node['stunnel'] good_stunnel_pids = [] - $node['stunnel'].each do |stunnel_type, stunnel_configs| - if stunnel_type =~ /_clients?$/ - stunnel_configs.each do |stunnel_name, stunnel_conf| - config_file_name = "/etc/stunnel/#{stunnel_name}.conf" - processes = pgrep(config_file_name) - assert_equal 6, processes.length, "There should be six stunnel processes running for `#{config_file_name}`" - good_stunnel_pids += processes.map{|ps| ps[:pid]} - assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' - assert_tcp_socket('localhost', port) - end - elsif stunnel_type =~ /_server$/ - config_file_name = "/etc/stunnel/#{stunnel_type}.conf" + $node['stunnel']['clients'].each do |stunnel_type, stunnel_configs| + stunnel_configs.each do |stunnel_name, stunnel_conf| + config_file_name = "/etc/stunnel/#{stunnel_name}.conf" processes = pgrep(config_file_name) assert_equal 6, processes.length, "There should be six stunnel processes running for `#{config_file_name}`" good_stunnel_pids += processes.map{|ps| ps[:pid]} - assert accept = stunnel_configs['accept'], "Field `accept` must be present in property `stunnel.#{stunnel_type}`" - assert_tcp_socket('localhost', accept) - assert connect = stunnel_configs['connect'], "Field `connect` must be present in property `stunnel.#{stunnel_type}`" - assert_tcp_socket(*connect.split(':')) - else - skip "Unknown stunnel type `#{stunnel_type}`" + assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' + assert_tcp_socket('localhost', port) end end + $node['stunnel']['servers'].each do |stunnel_name, stunnel_conf| + config_file_name = "/etc/stunnel/#{stunnel_name}.conf" + processes = pgrep(config_file_name) + assert_equal 6, processes.length, "There should be six stunnel processes running for `#{config_file_name}`" + good_stunnel_pids += processes.map{|ps| ps[:pid]} + assert accept_port = stunnel_conf['accept_port'], "Field `accept` must be present in property `stunnel.servers.#{stunnel_name}`" + assert_tcp_socket('localhost', accept_port) + assert connect_port = stunnel_conf['connect_port'], "Field `connect` must be present in property `stunnel.servers.#{stunnel_name}`" + assert_tcp_socket('localhost', connect_port) + end all_stunnel_pids = pgrep('/usr/bin/stunnel').collect{|process| process[:pid]}.uniq assert_equal good_stunnel_pids.sort, all_stunnel_pids.sort, "There should not be any extra stunnel processes that are not configured in /etc/stunnel" pass |