def test_cl_encryption_setup_process(topo):
"""Take an already working replication deployment, and setup changelog
encryption
:id: 1a1b7d29-69f5-4f0e-91c4-e7f66140ff17
:setup: Master Instance, Consumer Instance
:steps:
1. Enable TLS for the server
2. Export changelog
3. Enable changelog encryption
4. Import changelog
5. Verify replication is still working
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
supplier = topo.ms['master1']
consumer = topo.cs['consumer1']
# Enable TLS
log.info('Enable TLS ...')
supplier.enable_tls()
consumer.enable_tls()
# Export changelog
log.info('Export changelog ...')
replicas = Replicas(supplier)
replica = replicas.get(DEFAULT_SUFFIX)
replica.begin_task_cl2ldif()
replica.task_finished()
# Enable changelog encryption
log.info('Enable changelog encryption ...')
dse_ldif = DSEldif(supplier)
supplier.stop()
if ds_supports_new_changelog():
changelog = 'cn=changelog,{}'.format(DN_USERROOT_LDBM)
else:
changelog = DN_CHANGELOG
dse_ldif.replace(changelog, 'nsslapd-encryptionalgorithm', 'AES')
if dse_ldif.get(changelog, 'nsSymmetricKey'):
dse_ldif.delete(changelog, 'nsSymmetricKey')
supplier.start()
# Import changelog
log.info('Import changelog ...')
replica.begin_task_ldif2cl()
replica.task_finished()
# Verify replication is still working
log.info('Test replication is still working ...')
assert replica.test_replication([consumer])
def _enable_changelog_encryption(inst, encrypt_algorithm):
"""Configure changelog encryption for master"""
dse_ldif = DSEldif(inst)
log.info('Configuring changelog encryption:{} for: {}'.format(
inst.serverid, encrypt_algorithm))
inst.stop()
dse_ldif.replace(DN_CHANGELOG, 'nsslapd-encryptionalgorithm',
encrypt_algorithm)
if dse_ldif.get(DN_CHANGELOG, 'nsSymmetricKey'):
dse_ldif.delete(DN_CHANGELOG, 'nsSymmetricKey')
inst.start()
def test_add(topo, fake_attr_value):
"""Check that we can add an attribute to a given suffix"""
dse_ldif = DSEldif(topo.standalone)
fake_attr = "fakeAttr"
log.info("Add {} to {}".format(fake_attr, DN_CONFIG))
dse_ldif.add(DN_CONFIG, fake_attr, fake_attr_value)
attr_values = dse_ldif.get(DN_CONFIG, fake_attr)
assert attr_values == [fake_attr_value]
log.info("Clean up")
dse_ldif.delete(DN_CONFIG, fake_attr)
assert not dse_ldif.get(DN_CONFIG, fake_attr)
def test_delete_multivalue(topo):
"""Check that we can delete attributes from a given suffix"""
dse_ldif = DSEldif(topo.standalone)
fake_attr = "fakeAttr"
fake_attr_values = ["fake1", "fake2", "fake3"]
log.info("Add multivalued {} to {}".format(fake_attr, DN_CONFIG))
for value in fake_attr_values:
dse_ldif.add(DN_CONFIG, fake_attr, value)
log.info("Delete all values of {}".format(fake_attr))
dse_ldif.delete(DN_CONFIG, fake_attr)
assert not dse_ldif.get(DN_CONFIG, fake_attr)
def _enable_changelog_encryption(inst, encrypt_algorithm):
"""Configure changelog encryption for supplier"""
dse_ldif = DSEldif(inst)
log.info('Configuring changelog encryption:{} for: {}'.format(inst.serverid, encrypt_algorithm))
inst.stop()
if ds_supports_new_changelog():
changelog = 'cn=changelog,{}'.format(DN_USERROOT_LDBM)
else:
changelog = DN_CHANGELOG
dse_ldif.replace(changelog, 'nsslapd-encryptionalgorithm', encrypt_algorithm)
if dse_ldif.get(changelog, 'nsSymmetricKey'):
dse_ldif.delete(changelog, 'nsSymmetricKey')
inst.start()
def test_delete_singlevalue(topo):
"""Check that we can delete an attribute from a given suffix"""
dse_ldif = DSEldif(topo.standalone)
fake_attr = "fakeAttr"
fake_attr_values = ["fake1", "fake2", "fake3"]
log.info("Add multivalued {} to {}".format(fake_attr, DN_CONFIG))
for value in fake_attr_values:
dse_ldif.add(DN_CONFIG, fake_attr, value)
log.info("Delete {}".format(fake_attr_values[0]))
dse_ldif.delete(DN_CONFIG, fake_attr, fake_attr_values[0])
attr_values = dse_ldif.get(DN_CONFIG, fake_attr)
assert len(attr_values) == 2
assert fake_attr_values[0] not in attr_values
assert fake_attr_values[1] in attr_values
assert fake_attr_values[2] in attr_values
log.info("Clean up")
dse_ldif.delete(DN_CONFIG, fake_attr)
assert not dse_ldif.get(DN_CONFIG, fake_attr)