From 07c0e60e6bdc5b8bfe1f42f76dae9f0a79e7abb0 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Aug 2016 16:35:14 -0700 Subject: moved infrastructure tests run by `leap run` to tests/server-tests --- tests/server-tests/white-box/couchdb.rb | 169 ++++++++++++++++++++ tests/server-tests/white-box/dummy.rb | 71 +++++++++ tests/server-tests/white-box/mx.rb | 271 ++++++++++++++++++++++++++++++++ tests/server-tests/white-box/network.rb | 90 +++++++++++ tests/server-tests/white-box/openvpn.rb | 16 ++ tests/server-tests/white-box/soledad.rb | 17 ++ tests/server-tests/white-box/webapp.rb | 114 ++++++++++++++ 7 files changed, 748 insertions(+) create mode 100644 tests/server-tests/white-box/couchdb.rb create mode 100644 tests/server-tests/white-box/dummy.rb create mode 100644 tests/server-tests/white-box/mx.rb create mode 100644 tests/server-tests/white-box/network.rb create mode 100644 tests/server-tests/white-box/openvpn.rb create mode 100644 tests/server-tests/white-box/soledad.rb create mode 100644 tests/server-tests/white-box/webapp.rb (limited to 'tests/server-tests/white-box') diff --git a/tests/server-tests/white-box/couchdb.rb b/tests/server-tests/white-box/couchdb.rb new file mode 100644 index 00000000..44a2769b --- /dev/null +++ b/tests/server-tests/white-box/couchdb.rb @@ -0,0 +1,169 @@ +raise SkipTest unless service?(:couchdb) + +require 'json' + +class CouchDB < LeapTest + depends_on "Network" + + def setup + end + + def test_00_Are_daemons_running? + assert_running 'bin/beam' + if multimaster? + assert_running 'bin/epmd' + end + pass + end + + # + # check to make sure we can get welcome response from local couchdb + # + def test_01_Is_CouchDB_running? + assert_get(couchdb_url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Could not get welcome message from #{couchdb_url}. Probably couchdb is not running." + end + pass + end + + # + # all configured nodes are in 'cluster_nodes' + # all nodes online and communicating are in 'all_nodes' + # + # this seems backward to me, so it might be the other way around. + # + def test_03_Are_configured_nodes_online? + return unless multimaster? + url = couchdb_url("/_membership", :username => 'admin') + assert_get(url) do |body| + response = JSON.parse(body) + nodes_configured_but_not_available = response['cluster_nodes'] - response['all_nodes'] + nodes_available_but_not_configured = response['all_nodes'] - response['cluster_nodes'] + if nodes_configured_but_not_available.any? + warn "These nodes are configured but not available:", nodes_configured_but_not_available + end + if nodes_available_but_not_configured.any? + warn "These nodes are available but not configured:", nodes_available_but_not_configured + end + if response['cluster_nodes'] == response['all_nodes'] + pass + end + end + end + + def test_04_Do_ACL_users_exist? + acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'webapp', 'replication'] + url = couchdb_backend_url("/_users/_all_docs", :username => 'admin') + assert_get(url) do |body| + response = JSON.parse(body) + assert_equal acl_users.count, response['total_rows'] + actual_users = response['rows'].map{|row| row['id'].sub(/^org.couchdb.user:/, '') } + assert_equal acl_users.sort, actual_users.sort + end + pass + end + + def test_05_Do_required_databases_exist? + dbs_that_should_exist = ["customers","identities","keycache","shared","tickets","users", "tmp_users"] + dbs_that_should_exist << "tokens_#{rotation_suffix}" + dbs_that_should_exist << "sessions_#{rotation_suffix}" + dbs_that_should_exist.each do |db_name| + url = couchdb_url("/"+db_name, :username => 'admin') + assert_get(url) do |body| + assert response = JSON.parse(body) + assert_equal db_name, response['db_name'] + end + end + pass + end + + # disable ACL enforcement, because it's a known issue with bigcouch + # and will only confuse the user + # see https://leap.se/code/issues/6030 for more details + # + ## for now, this just prints warnings, since we are failing these tests. + ## + + #def test_06_Is_ACL_enforced? + # ok = assert_auth_fail( + # couchdb_url('/users/_all_docs', :username => 'leap_mx'), + # {:limit => 1} + # ) + # ok = assert_auth_fail( + # couchdb_url('/users/_all_docs', :username => 'leap_mx'), + # {:limit => 1} + # ) && ok + # pass if ok + #end + + def test_07_Can_records_be_created? + record = DummyRecord.new + url = couchdb_url("/tokens_#{rotation_suffix}", :username => 'admin') + assert_post(url, record, :format => :json) do |body| + assert response = JSON.parse(body), "POST response should be JSON" + assert response["ok"], "POST response should be OK" + assert_delete(File.join(url, response["id"]), :rev => response["rev"]) do |body| + assert response = JSON.parse(body), "DELETE response should be JSON" + assert response["ok"], "DELETE response should be OK" + end + end + pass + end + + # + # This is not really a "test", just an attempt to make sure that + # the mx tests that fire off dummy emails don't fill up the + # storage db. + # + # mx tests can't run this because they don't have access to + # the storage db. + # + # This "test" is responsible for both creating the db if it does not + # exist, and destroying if it does. + # + # Yes, this is super hacky. Properly, we should add something to + # the soledad api to support create/delete of user storage dbs. + # + def test_99_Delete_mail_storage_used_in_mx_tests + user = find_user_by_login(TEST_EMAIL_USER) + if user + if user_db_exists?(user["id"]) + # keep the test email db from filling up: + assert_destroy_user_db(user["id"], :username => 'admin') + end + # either way, make sure we leave a db for the mx tests: + assert_create_user_db(user["id"], :username => 'admin') + end + silent_pass + end + + private + + def multimaster? + mode == "multimaster" + end + + def mode + assert_property('couch.mode') + end + + # TODO: admin port is hardcoded for now but should be configurable. + def couchdb_backend_url(path="", options={}) + options = {port: multimaster? && "5986"}.merge options + couchdb_url(path, options) + end + + def rotation_suffix + rotation_suffix = Time.now.utc.to_i / 2592000 # monthly + end + + require 'securerandom' + require 'digest/sha2' + class DummyRecord < Hash + def initialize + self['data'] = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '') + self['_id'] = Digest::SHA512.hexdigest(self['data']) + end + end + +end diff --git a/tests/server-tests/white-box/dummy.rb b/tests/server-tests/white-box/dummy.rb new file mode 100644 index 00000000..a3e8ad68 --- /dev/null +++ b/tests/server-tests/white-box/dummy.rb @@ -0,0 +1,71 @@ +# only run in the dummy case where there is no hiera.yaml file. +raise SkipTest unless $node["dummy"] + +class Robot + def can_shoot_lasers? + "OHAI!" + end + + def can_fly? + "YES!" + end +end + +class TestDummy < LeapTest + def setup + @robot = Robot.new + end + + def test_lasers + assert_equal "OHAI!", @robot.can_shoot_lasers? + pass + end + + def test_fly + refute_match /^no/i, @robot.can_fly? + pass + end + + def test_fail + fail "fail" + pass + end + + def test_01_will_be_skipped + skip "test this later" + pass + end + + def test_socket_failure + assert_tcp_socket('localhost', 900000) + pass + end + + def test_warn + block_test do + warn "not everything", "is a success or failure" + end + end + + # used to test extracting the proper caller even when in a block + def block_test + yield + end + + def test_socket_success + fork { + Socket.tcp_server_loop('localhost', 12345) do |sock, client_addrinfo| + begin + sock.write('hi') + ensure + sock.close + exit + end + end + } + sleep 0.2 + assert_tcp_socket('localhost', 12345) + pass + end + +end diff --git a/tests/server-tests/white-box/mx.rb b/tests/server-tests/white-box/mx.rb new file mode 100644 index 00000000..0eeaacd0 --- /dev/null +++ b/tests/server-tests/white-box/mx.rb @@ -0,0 +1,271 @@ +raise SkipTest unless service?(:mx) + +require 'date' +require 'json' +require 'net/smtp' + +class Mx < LeapTest + depends_on "Network" + depends_on "Webapp" if service?(:webapp) + + def setup + end + + def test_01_Can_contact_couchdb? + dbs = ["identities"] + dbs.each do |db_name| + couchdb_urls("/"+db_name, couch_url_options).each do |url| + assert_get(url) do |body| + assert response = JSON.parse(body) + assert_equal db_name, response['db_name'] + end + end + end + pass + end + + def test_02_Can_contact_couchdb_via_haproxy? + if property('haproxy.couch') + url = couchdb_url_via_haproxy("", couch_url_options) + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + end + pass + end + end + + # + # this test picks a random identity document, then queries + # using the by_address view for that same document again. + # + def test_03_Can_query_identities_db? + ident = pick_random_identity + address = ident['address'] + url_base = %(/identities/_design/Identity/_view/by_address) + params = %(?include_docs=true&reduce=false&startkey="#{address}"&endkey="#{address}") + assert_get(couchdb_url(url_base+params, couch_url_options)) do |body| + assert response = JSON.parse(body) + assert record = response['rows'].first + assert_equal address, record['doc']['address'] + pass + end + end + + def test_04_Are_MX_daemons_running? + assert_running '.*/usr/bin/twistd.*mx.tac' + assert_running '^/usr/lib/postfix/master$' + assert_running '^/usr/sbin/postfwd' + assert_running 'postfwd2::cache$' + assert_running 'postfwd2::policy$' + assert_running '^/usr/sbin/unbound$' + assert_running '^/usr/bin/freshclam' + assert_running '^/usr/sbin/opendkim' + if Dir.glob("/var/lib/clamav/main.{c[vl]d,inc}").size > 0 and Dir.glob("/var/lib/clamav/daily.{c[vl]d,inc}").size > 0 + assert_running '^/usr/sbin/clamd' + assert_running '^/usr/sbin/clamav-milter' + pass + else + skip "Downloading the clamav signature files (/var/lib/clamav/{daily,main}.{c[vl]d,inc}) is still in progress, so clamd is not running." + end + end + + # + # TODO: test to make sure postmap returned the right result + # + def test_05_Can_postfix_query_leapmx? + ident = pick_random_identity(10, :with_public_key => true) + address = ident["address"] + + # + # virtual alias map: + # + # user@domain => 41c29a80a44f4775513c64ac9cab91b9@deliver.local + # + assert_run("postmap -v -q \"#{address}\" tcp:localhost:4242") + + # + # recipient access map: + # + # user@domain => [OK|REJECT|TEMP_FAIL] + # + # This map is queried by the mail server before delivery to the mail spool + # directory, and should check if the address is able to receive messages. + # Examples of reasons for denying delivery would be that the user is out of + # quota, is user, or have no pgp public key in the server. + # + # NOTE: in the future, when we support quota, we need to make sure that + # we don't randomly pick a user for this test that happens to be over quota. + # + assert_run("postmap -v -q \"#{address}\" tcp:localhost:2244") + + # + # certificate validity map: + # + # fa:2a:70:1f:d8:16:4e:1a:3b:15:c1:67:00:f0 => [200|500] + # + # Determines whether a particular SMTP client cert is authorized + # to relay mail, based on the fingerprint. + # + if ident["cert_fingerprints"] + not_expired = ident["cert_fingerprints"].select {|key, value| + Time.now.utc < DateTime.strptime("2016-01-03", "%F").to_time.utc + } + if not_expired.any? + fingerprint = not_expired.first + assert_run("postmap -v -q #{fingerprint} tcp:localhost:2424") + end + end + + pass + end + + # + # The email sent by this test might get bounced back. + # In this case, the test will pass, but the bounce message will + # get sent to root, so the sysadmin will still figure out pretty + # quickly that something is wrong. + # + def test_05_Can_deliver_email? + if pgrep('^/usr/sbin/clamd').empty? || pgrep('^/usr/sbin/clamav-milter').empty? + skip "Mail delivery is being deferred because clamav daemon is not running" + else + addr = [TEST_EMAIL_USER, property('domain.full_suffix')].join('@') + bad_addr = [TEST_BAD_USER, property('domain.full_suffix')].join('@') + + assert !identity_exists?(bad_addr), "the address #{bad_addr} must not exist." + if !identity_exists?(addr) + user = assert_create_user(TEST_EMAIL_USER, :monitor) + upload_public_key(user.id, TEST_EMAIL_PUBLIC_KEY) + end + assert identity_exists?(addr), "The identity #{addr} should have been created, but it doesn't exist yet." + assert_send_email(addr) + assert_raises(Net::SMTPError) do + send_email(bad_addr) + end + pass + end + end + + private + + def couch_url_options + { + :username => property('couchdb_leap_mx_user.username'), + :password => property('couchdb_leap_mx_user.password') + } + end + + # + # returns a random identity record that also has valid address + # and destination fields. + # + # options: + # + # * :with_public_key -- searches only for identities with public keys + # + # note to self: for debugging, here is the curl you want: + # curl --netrc "127.0.0.1:5984/identities/_design/Identity/_view/by_address?startkey=\"xxxx@leap.se\"&endkey=\"xxxx@leap.se\"&reduce=false&include_docs=true" + # + def pick_random_identity(tries=5, options={}) + assert_get(couchdb_url("/identities", couch_url_options)) do |body| + assert response = JSON.parse(body) + doc_count = response['doc_count'].to_i + if doc_count <= 1 + # the design document counts as one document. + skip "There are no identity documents yet." + else + # try repeatedly to get a valid doc + for i in 1..tries + offset = rand(doc_count) # pick a random document + url = couchdb_url("/identities/_all_docs?include_docs=true&limit=1&skip=#{offset}", couch_url_options) + assert_get(url) do |body| + assert response = JSON.parse(body) + record = response['rows'].first + if record['id'] =~ /_design/ + next + elsif record['doc'] && record['doc']['address'] + next if record['doc']['destination'].nil? || record['doc']['destination'].empty? + next if options[:with_public_key] && !record_has_key?(record) + return record['doc'] + else + fail "Identity document #{record['id']} is missing an address field. #{record['doc'].inspect}" + end + end + end + if options[:with_public_key] + skip "Could not find an Identity document with a public key for testing." + else + fail "Failed to find a valid Identity document (with address and destination)." + end + end + end + end + + def record_has_key?(record) + !record['doc']['keys'].nil? && + !record['doc']['keys'].empty? && + !record['doc']['keys']['pgp'].nil? && + !record['doc']['keys']['pgp'].empty? + end + + TEST_EMAIL_PUBLIC_KEY=< 7 + # on jessie, there is only one stunnel proc running instead of 6 + expected = 1 + else + expected = 6 + end + $node['stunnel']['clients'].each do |stunnel_type, stunnel_configs| + stunnel_configs.each do |stunnel_name, stunnel_conf| + config_file_name = "/etc/stunnel/#{stunnel_name}.conf" + processes = pgrep(config_file_name) + assert_equal expected, processes.length, "There should be #{expected} stunnel processes running for `#{config_file_name}`" + good_stunnel_pids += processes.map{|ps| ps[:pid]} + assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.' + assert_tcp_socket('localhost', port) + end + end + $node['stunnel']['servers'].each do |stunnel_name, stunnel_conf| + config_file_name = "/etc/stunnel/#{stunnel_name}.conf" + processes = pgrep(config_file_name) + assert_equal expected, processes.length, "There should be #{expected} stunnel processes running for `#{config_file_name}`" + good_stunnel_pids += processes.map{|ps| ps[:pid]} + assert accept_port = stunnel_conf['accept_port'], "Field `accept` must be present in property `stunnel.servers.#{stunnel_name}`" + assert_tcp_socket('localhost', accept_port) + assert connect_port = stunnel_conf['connect_port'], "Field `connect` must be present in property `stunnel.servers.#{stunnel_name}`" + assert_tcp_socket('localhost', connect_port, + "The local connect endpoint for stunnel `#{stunnel_name}` is unavailable.\n"+ + "This is probably caused by a daemon that died or failed to start on\n"+ + "port `#{connect_port}`, not stunnel itself.") + end + all_stunnel_pids = pgrep('/usr/bin/stunnel').collect{|process| process[:pid]}.uniq + assert_equal good_stunnel_pids.sort, all_stunnel_pids.sort, "There should not be any extra stunnel processes that are not configured in /etc/stunnel" + pass + end + + def test_03_Is_shorewall_running? + ignore unless File.exist?('/sbin/shorewall') + assert_run('/sbin/shorewall status') + pass + end + + THIRTY_DAYS = 60*60*24*30 + + def test_04_Are_server_certificates_valid? + cert_paths = ["/etc/x509/certs/leap_commercial.crt", "/etc/x509/certs/leap.crt"] + cert_paths.each do |cert_path| + if File.exist?(cert_path) + cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) + if Time.now > cert.not_after + fail "The certificate #{cert_path} expired on #{cert.not_after}" + elsif Time.now + THIRTY_DAYS > cert.not_after + fail "The certificate #{cert_path} will expire soon, on #{cert.not_after}" + end + end + end + pass + end + +end diff --git a/tests/server-tests/white-box/openvpn.rb b/tests/server-tests/white-box/openvpn.rb new file mode 100644 index 00000000..170d4503 --- /dev/null +++ b/tests/server-tests/white-box/openvpn.rb @@ -0,0 +1,16 @@ +raise SkipTest unless service?(:openvpn) + +class OpenVPN < LeapTest + depends_on "Network" + + def setup + end + + def test_01_Are_daemons_running? + assert_running '^/usr/sbin/openvpn .* /etc/openvpn/tcp_config.conf$' + assert_running '^/usr/sbin/openvpn .* /etc/openvpn/udp_config.conf$' + assert_running '^/usr/sbin/unbound$' + pass + end + +end diff --git a/tests/server-tests/white-box/soledad.rb b/tests/server-tests/white-box/soledad.rb new file mode 100644 index 00000000..d41bee58 --- /dev/null +++ b/tests/server-tests/white-box/soledad.rb @@ -0,0 +1,17 @@ +raise SkipTest unless service?(:soledad) + +require 'json' + +class Soledad < LeapTest + depends_on "Network" + depends_on "CouchDB" if service?(:couchdb) + + def setup + end + + def test_00_Is_Soledad_running? + assert_running '.*/usr/bin/twistd.*--wsgi=leap.soledad.server.application' + pass + end + +end diff --git a/tests/server-tests/white-box/webapp.rb b/tests/server-tests/white-box/webapp.rb new file mode 100644 index 00000000..40c234d6 --- /dev/null +++ b/tests/server-tests/white-box/webapp.rb @@ -0,0 +1,114 @@ +raise SkipTest unless service?(:webapp) + +require 'json' + +class Webapp < LeapTest + depends_on "Network" + + def setup + end + + def test_01_Can_contact_couchdb? + url = couchdb_url("", url_options) + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + end + pass + end + + def test_02_Can_contact_couchdb_via_haproxy? + if property('haproxy.couch') + url = couchdb_url_via_haproxy("", url_options) + assert_get(url) do |body| + assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message." + end + pass + end + end + + def test_03_Are_daemons_running? + assert_running '^/usr/sbin/apache2' + assert_running '^/usr/bin/ruby /usr/bin/nickserver' + pass + end + + # + # this is technically a black-box test. so, move this when we have support + # for black box tests. + # + def test_04_Can_access_webapp? + assert_get('https://' + $node['webapp']['domain'] + '/') + pass + end + + def test_05_Can_create_and_authenticate_and_delete_user_via_API? + if property('webapp.allow_registration') + assert_tmp_user + pass + else + skip "New user registrations are disabled." + end + end + + def test_06_Can_sync_Soledad? + return unless property('webapp.allow_registration') + soledad_config = property('definition_files.soledad_service') + if soledad_config && !soledad_config.empty? + soledad_server = pick_soledad_server(soledad_config) + if soledad_server + assert_tmp_user do |user| + command = File.expand_path "../../helpers/soledad_sync.py", __FILE__ + soledad_url = "https://#{soledad_server}/user-#{user.id}" + soledad_cert = "/usr/local/share/ca-certificates/leap_ca.crt" + assert_run "#{command} #{user.id} #{user.session_token} #{soledad_url} #{soledad_cert} #{user.password}" + assert_user_db_privileges(user) + pass + end + end + else + skip 'No soledad service configuration' + end + end + + private + + def url_options + { + :username => property('webapp.couchdb_webapp_user.username'), + :password => property('webapp.couchdb_webapp_user.password') + } + end + + # + # pick a random soledad server. + # I am not sure why, but using IP address directly does not work. + # + def pick_soledad_server(soledad_config_json_str) + soledad_config = JSON.parse(soledad_config_json_str) + host_name = soledad_config['hosts'].keys.shuffle.first + if host_name + hostname = soledad_config['hosts'][host_name]['hostname'] + port = soledad_config['hosts'][host_name]['port'] + return "#{hostname}:#{port}" + else + return nil + end + end + + # + # checks if user db exists and is properly protected + # + def assert_user_db_privileges(user) + db_name = "/user-#{user.id}" + get(couchdb_url(db_name)) do |body, response, error| + code = response.code.to_i + assert code != 404, "Could not find user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}" + # After moving to couchdb, webapp user is not allowed to Read user dbs, + # but the return code for non-existent databases is 404. See #7674 + # 401 should come as we aren't supposed to have read privileges on it. + assert code != 200, "Incorrect security settings (design doc) on user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}" + assert code == 401, "Unknown error on user db on user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}" + end + end + +end -- cgit v1.2.3