From f643289f42a0d537da2e8ab6be4727d0bc679690 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 22 Mar 2019 19:29:01 +0100
Subject: [PATCH] ipatests: Exercise hidden replica feature

A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.

Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>
Signed-off-by: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
 .../test_replica_promotion.py                 | 114 ++++++++++++++++++
 1 file changed, 114 insertions(+)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 6608b23f7fb37948d54c21c88d572527356e7335..80890bf05cb242fe09af77aa27b411ac6194e2d6 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -17,6 +17,10 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config
 from ipalib.constants import (
     DOMAIN_LEVEL_0, DOMAIN_LEVEL_1, DOMAIN_SUFFIX_NAME, IPA_CA_NICKNAME)
 from ipaplatform.paths import paths
+from ipatests.test_integration.test_backup_and_restore import backup
+from ipatests.test_integration.test_dns_locations import (
+    resolve_records_from_server
+)
 
 config = get_global_config()
 
@@ -795,3 +799,113 @@ class TestReplicaInForwardZone(IntegrationTest):
             # Restore /etc/hosts on master and replica
             restore_etc_hosts(master)
             restore_etc_hosts(replica)
+
+
+class TestHiddenReplicaPromotion(IntegrationTest):
+    """
+    Test hidden replica features
+    """
+
+    topology = 'star'
+    num_replicas = 1
+
+    @classmethod
+    def install(cls, mh):
+        tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
+
+    @replicas_cleanup
+    def test_hidden_replica_install(self):
+        self.replicas[0].run_command([
+            'ipa-client-install',
+            '-p', 'admin',
+            '-w', self.master.config.admin_password,
+            '--domain', self.master.domain.name,
+            '--realm', self.master.domain.realm,
+            '--server', self.master.hostname,
+            '-U'
+        ])
+        self.replicas[0].run_command([
+            'ipa-replica-install', '-w',
+            self.master.config.admin_password,
+            '-n', self.master.domain.name,
+            '-r', self.master.domain.realm,
+            '--server', self.master.hostname,
+            '--setup-ca',
+            '--setup-dns', '--no-forwarders',
+            '--hidden-replica',
+            '--setup-kra',
+            '-U'
+        ])
+        expected_txt = 'hidden'
+        result = self.replicas[0].run_command([
+            'ipa', 'ipa server-role-find',
+            '--server', self.replicas[0].hostname
+        ])
+        assert expected_txt in result.stdout
+        dnsrecords = {
+            '.'.join(('_kerberos._udp', self.master.domain.name)): 'SRV',
+            '.'.join(('_kerberos._tcp', self.master.domain.name)): 'SRV',
+            '.'.join(('_ldap._tcp', self.master.domain.name)): 'SRV',
+            self.master.domain.name: 'NS'
+        }
+        nameserver = self.master.ip
+        results = []
+        for record in dnsrecords:
+            srvr = resolve_records_from_server(
+                record, dnsrecords[record], nameserver
+            )
+            results.extend(re.findall(
+                '|'.join((self.master.hostname, self.replicas[0].hostname)),
+                srvr)
+            )
+        assert self.master.hostname in results
+        assert self.replicas[0].hostname not in results
+
+    def test_hidden_replica_promote(self):
+        self.replicas[0].run_command([
+            'ipa', 'server-mod', '--state=enabled'
+        ])
+        unexpected_txt = 'hidden'
+        result = self.replicas[0].run_command([
+            'ipa', 'ipa server-role-find',
+            '--server', self.replicas[0].hostname
+        ])
+        assert unexpected_txt not in result.stdout
+
+    def test_hidden_replica_demote(self):
+        self.replicas[0].run_command([
+            'ipa', 'server-mod', '--state=hidden'
+        ])
+        expected_txt = 'hidden'
+        result = self.replicas[0].run_command([
+            'ipa', 'ipa server-role-find',
+            '--server', self.replicas[0].hostname
+        ])
+        assert expected_txt in result.stdout
+
+    def test_hidden_replica_backup_and_restore(self):
+        """
+        Exercises backup+restore and hidden replica uninstall
+        """
+        # set expectations
+        expected_txt = 'hidden'
+        result = self.replicas[0].run_command([
+            'ipa', 'ipa server-role-find',
+            '--server', self.replicas[0].hostname
+        ])
+        assert expected_txt in result.stdout
+        # backup
+        backup_path = backup(self.replicas[0])
+        # uninstall
+        result = self.replicas[0].run_command([
+            'ipa-server-uninstall', '-U', 'hidden-replica'
+        ])
+        # restore
+        dirman_password = self.master.config.dirman_password
+        self.replicas[0].run_command(
+            ['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes'
+        )
+        # check that the resulting server can be promoted to enabled
+        self.replicas[0].run_command([
+            'ipa', 'server-mod', '--state=enabled'
+        ])
-- 
2.20.1