示例#1
0
 def tearDown(self):
     if self.input.param("n2n_encryption_level_multiple_CA", None):
         ntonencryptionBase().disable_nton_cluster([self.master])
         CbServer.use_https = False
     self.x509 = x509main(host=self.master)
     self.x509.teardown_certs(servers=self.servers)
     super(MultipleCA, self).tearDown()
示例#2
0
 def setUp(self):
     super(MultipleCA, self).setUp()
     self.standard = self.input.param("standard", "pkcs8")
     self.passphrase_type = self.input.param("passphrase_type", "script")
     self.encryption_type = self.input.param("encryption_type", "aes256")
     self.wildcard_dns = self.input.param("wildcard_dns", None)
     self.passphrase_url = self.input.param(
         "rest_url", "https://testingsomething.free.beeceptor.com/")
     self.x509 = x509main(host=self.master,
                          standard=self.standard,
                          encryption_type=self.encryption_type,
                          passphrase_type=self.passphrase_type,
                          wildcard_dns=self.wildcard_dns,
                          passhprase_url=self.passphrase_url)
     for server in self.servers:
         self.x509.delete_inbox_folder_on_server(server=server)
     sample_bucket = self.input.param("sample_bucket", "travel-sample")
     if sample_bucket is not None:
         self.load_sample_bucket(self.master, sample_bucket)
     self.buckets = RestConnection(self.master).get_buckets()
     rest = RestConnection(self.master)
     for bucket in self.buckets:
         rest.change_bucket_props(bucket, replicaNumber=self.num_replicas)
     task = self.cluster.async_rebalance(self.servers[:self.nodes_init], [],
                                         [])
     self.wait_for_rebalance_to_complete(task)
     self.n2n_encryption_level_multiple_CA = self.input.param(
         "n2n_encryption_level_multiple_CA", None)
     if self.n2n_encryption_level_multiple_CA:
         ntonencryptionBase().setup_nton_cluster(
             [self.master],
             clusterEncryptionLevel=self.n2n_encryption_level_multiple_CA)
         CbServer.use_https = True
示例#3
0
 def setup_master(self,
                  state=None,
                  paths=None,
                  prefixs=None,
                  delimeters=None,
                  mode='rest',
                  user='******',
                  password='******',
                  non_local_CA_upload=True):
     level = ntonencryptionBase().get_encryption_level_cli(self.host)
     if level:
         ntonencryptionBase().disable_nton_cluster([self.host])
     copy_host = copy.deepcopy(self.host)
     if non_local_CA_upload:
         self.non_local_CA_upload(server=copy_host, allow=True)
     x509main(copy_host)._upload_cluster_ca_certificate(user, password)
     x509main(copy_host)._setup_node_certificates()
     if state is not None:
         self.write_client_cert_json_new(state, paths, prefixs, delimeters)
         if mode == 'rest':
             x509main(copy_host)._upload_cluster_ca_settings(user, password)
         elif mode == 'cli':
             x509main(copy_host)._upload_cert_file_via_cli(user, password)
     if level:
         ntonencryptionBase().setup_nton_cluster(
             [self.host], clusterEncryptionLevel=level)
     if non_local_CA_upload:
         # Disable it back as uploading is done
         self.non_local_CA_upload(server=copy_host, allow=False)
示例#4
0
 def test_enforcing_tls_during_handler_lifecycle_operation(self):
     ntonencryptionBase().setup_nton_cluster(
         self.servers, clusterEncryptionLevel=self.ntonencrypt_level)
     body = self.create_save_function_body(
         self.function_name, "handler_code/ABO/insert_rebalance.js")
     self.load(self.gens_load,
               buckets=self.src_bucket,
               flag=self.item_flag,
               verify_data=False,
               batch_size=self.batch_size)
     self.deploy_function(body)
     self.verify_doc_count_collections("dst_bucket._default._default",
                                       self.docs_per_day * self.num_docs)
     if self.pause_resume:
         self.pause_function(body)
     else:
         self.undeploy_function(body)
     if self.pause_resume:
         self.resume_function(body, wait_for_resume=False)
     else:
         self.deploy_function(body, wait_for_bootstrap=False)
     ntonencryptionBase().setup_nton_cluster(
         [self.master], clusterEncryptionLevel="strict")
     self.wait_for_handler_state(body['appname'], "deployed")
     self.load(self.gens_load,
               buckets=self.src_bucket,
               flag=self.item_flag,
               verify_data=False,
               batch_size=self.batch_size,
               op_type='delete')
     self.verify_doc_count_collections("dst_bucket._default._default", 0)
     assert ClusterOperationHelper.check_if_services_obey_tls(
         servers=[self.master
                  ]), "Port binding after enforcing TLS incorrect"
     self.undeploy_and_delete_function(body)
示例#5
0
 def test_eventing_rebalance_with_n2n_encryption_and_enforce_tls(self):
     ntonencryptionBase().disable_nton_cluster([self.master])
     body = self.create_save_function_body(
         self.function_name, "handler_code/ABO/insert_rebalance.js")
     self.load(self.gens_load,
               buckets=self.src_bucket,
               flag=self.item_flag,
               verify_data=False,
               batch_size=self.batch_size)
     self.deploy_function(body)
     self.verify_doc_count_collections("dst_bucket._default._default",
                                       self.docs_per_day * self.num_docs)
     for level in ["control", "all", "strict"]:
         if self.pause_resume:
             self.pause_function(body)
         else:
             self.undeploy_function(body)
         ntonencryptionBase().setup_nton_cluster(
             [self.master], clusterEncryptionLevel=level)
         if self.x509enable:
             self.upload_x509_certs(self.servers[self.nodes_init])
         services_in = ["eventing"]
         rebalance = self.cluster.async_rebalance(
             self.servers[:self.nodes_init],
             [self.servers[self.nodes_init]], [],
             services=services_in)
         reached = RestHelper(self.rest).rebalance_reached(retry_count=150)
         self.assertTrue(reached,
                         "rebalance failed, stuck or did not complete")
         rebalance.result()
         if self.pause_resume:
             self.resume_function(body)
         else:
             self.deploy_function(body)
         self.load(self.gens_load,
                   buckets=self.src_bucket,
                   flag=self.item_flag,
                   verify_data=False,
                   batch_size=self.batch_size,
                   op_type='delete')
         self.verify_doc_count_collections("dst_bucket._default._default",
                                           0)
         rebalance = self.cluster.async_rebalance(
             self.servers[:self.nodes_init], [],
             [self.servers[self.nodes_init]])
         reached = RestHelper(self.rest).rebalance_reached(retry_count=150)
         self.assertTrue(reached,
                         "rebalance failed, stuck or did not complete")
         rebalance.result()
         self.load(self.gens_load,
                   buckets=self.src_bucket,
                   flag=self.item_flag,
                   verify_data=False,
                   batch_size=self.batch_size)
         self.verify_doc_count_collections(
             "dst_bucket._default._default",
             self.docs_per_day * self.num_docs)
     self.undeploy_and_delete_function(body)
示例#6
0
 def test_port_security_with_encryption(self):
     """
     Scanning the ports to test vulnerabilities with cluster encryption enabled
     """
     ntonencryptionBase().setup_nton_cluster(servers=self.servers, ntonStatus="enable",
                                             clusterEncryptionLevel="all")
     self.test_port_security()
     CbServer.use_https = True
     ntonencryptionBase().setup_nton_cluster(servers=self.servers, ntonStatus="enable",
                                             clusterEncryptionLevel="strict")
     self.test_port_security()
示例#7
0
 def tearDown(self):
     log.info(
         "==============  Multiple CA Upgrade teardown has started =============="
     )
     ntonencryptionBase().disable_nton_cluster(self.servers)
     CbServer.use_https = False
     if self.test_setup_finished:
         self._install(self.servers)
     super(MultipleCAUpgrade, self).tearDown()
     log.info(
         "==============  Multiple CA Upgrade teardown finished =============="
     )
示例#8
0
    def test_n2n_encryption_enabled_rebalance_in_with_ddoc_ops(self):

        self.assertTrue(self.num_servers > self.nodes_in + self.nodes_out,
                        "ERROR: Not enough nodes to do rebalance in and out")

        ntonencryptionBase().disable_nton_cluster([self.master])

        self._load_doc_data_all_buckets()

        servs_in = self.servers[1:self.nodes_in + 1]
        rebalance = self.cluster.async_rebalance(self.servers[:1], servs_in,
                                                 [])

        for bucket in self.buckets:
            self._execute_ddoc_ops("create",
                                   self.test_with_view,
                                   self.num_ddocs,
                                   self.num_views_per_ddoc,
                                   bucket=bucket)
        self._execute_ddoc_ops("update",
                               self.test_with_view,
                               self.num_ddocs // 2,
                               self.num_views_per_ddoc // 2,
                               bucket=bucket)
        self._execute_ddoc_ops("delete",
                               self.test_with_view,
                               self.num_ddocs // 2,
                               self.num_views_per_ddoc // 2,
                               bucket=bucket)
        rebalance.result()
        self._wait_for_stats_all_buckets(self.servers[:self.nodes_in + 1])
        max_verify = None
        if self.num_items > 500000:
            max_verify = 100000

        ntonencryptionBase().setup_nton_cluster(
            [self.master], clusterEncryptionLevel="strict")

        self._verify_all_buckets(server=self.master,
                                 timeout=self.wait_timeout *
                                 15 if not self.dgm_run else None,
                                 max_verify=max_verify)
        self._verify_stats_all_buckets(
            self.servers[:self.nodes_in + 1],
            timeout=self.wait_timeout if not self.dgm_run else None)
        self._verify_ddoc_ops_all_buckets()
        if self.test_with_view:
            self._verify_ddoc_data_all_buckets()
        assert ClusterOperationHelper.check_if_services_obey_tls(
            servers=[self.master
                     ]), "Port binding after enforcing TLS incorrect"
示例#9
0
    def test_view_ops_n2n_encryption_enabled(self):

        ntonencryptionBase().disable_nton_cluster([self.master])
        self.log.info("###### Generating x509 certificate#####")
        self.generate_x509_certs(self.servers)
        self.log.info("###### uploading x509 certificate#####")
        self.upload_x509_certs(self.servers)

        self._load_doc_data_all_buckets()
        for bucket in self.buckets:
            self._execute_ddoc_ops("create",
                                   self.test_with_view,
                                   self.num_ddocs,
                                   self.num_views_per_ddoc,
                                   bucket=bucket)

        self._wait_for_stats_all_buckets([self.master])
        ntonencryptionBase().setup_nton_cluster(
            [self.master], clusterEncryptionLevel="strict")
        self.x509enable = True

        encryption_result = ntonencryptionBase().setup_nton_cluster(
            self.servers, 'enable', self.ntonencrypt_level)
        self.assertTrue(encryption_result,
                        "Retries Exceeded. Cannot enable n2n encryption")

        self._verify_ddoc_ops_all_buckets()
        self._verify_ddoc_data_all_buckets()

        self._execute_ddoc_ops("update",
                               self.test_with_view,
                               self.num_ddocs // 2,
                               self.num_views_per_ddoc // 2,
                               bucket=bucket)
        self._wait_for_stats_all_buckets([self.master])

        ntonencryptionBase().disable_nton_cluster([self.master])

        self._verify_ddoc_ops_all_buckets()
        self._verify_ddoc_data_all_buckets()

        self._execute_ddoc_ops("delete",
                               self.test_with_view,
                               self.num_ddocs // 2,
                               self.num_views_per_ddoc // 2,
                               bucket=bucket)

        self._wait_for_stats_all_buckets([self.master])
        ntonencryptionBase().setup_nton_cluster(
            [self.master], clusterEncryptionLevel="strict")
        self._verify_ddoc_ops_all_buckets()
        self._verify_ddoc_data_all_buckets()

        assert ClusterOperationHelper.check_if_services_obey_tls(
            servers=[self.master
                     ]), "Port binding after enforcing TLS incorrect"
示例#10
0
 def test_port_security_with_certificates(self):
     """
     Scanning the ports to test vulnerabilities with certificates
     """
     self.x509 = x509main(host=self.master)
     self.x509.generate_multiple_x509_certs(servers=self.servers)
     for server in self.servers:
         _ = self.x509.upload_root_certs(server)
     self.x509.upload_node_certs(servers=self.servers)
     self.x509.delete_unused_out_of_the_box_CAs(server=self.master)
     self.x509.upload_client_cert_settings(server=self.servers[0])
     CbServer.use_https = True
     ntonencryptionBase().setup_nton_cluster(servers=self.servers,
                                             clusterEncryptionLevel="strict")
     self.test_port_security()
示例#11
0
    def test_multiple_CAs_offline(self):
        """
        1. Init Pre-neo cluster with x509 (single CA)
        2. Offline upgrade node one by one
        3. Optionally convert pkcs#1 key to encrypted pkcs#8 key in mixed mode cluster
        4. After cluster is fully upgraded, rotate certs to use pkcs#8 keys and multiple CAs
        """
        self.log.info("------------- test started-------------")
        self.generate_x509_certs(self.servers)
        self.upload_x509_certs(self.servers)
        ntonencryptionBase().setup_nton_cluster(servers=self.servers,
                                                clusterEncryptionLevel="all")

        for node in self.servers:
            self.log.info(
                "-------------Performing upgrade on node {0} to version------------- {1}"
                .format(node, self.upgrade_version))
            upgrade_threads = self._async_update(
                upgrade_version=self.upgrade_version, servers=[node])
            for threads in upgrade_threads:
                threads.join()
            self.log.info("Upgrade finished")
            if self.enc_key_mixed_mode:
                self.convert_to_pkcs8(node)
                self.reload_node_cert_with_plain_password(node)
        CbServer.use_https = True
        ntonencryptionBase().setup_nton_cluster(
            servers=self.servers, clusterEncryptionLevel="strict")
        self._reset_original(self.servers)
        self.x509_new = x509main(host=self.master,
                                 standard="pkcs8",
                                 encryption_type="aes256",
                                 passphrase_type="script")
        self.x509_new.generate_multiple_x509_certs(servers=self.servers)
        for server in self.servers:
            _ = self.x509_new.upload_root_certs(server)
        self.x509_new.upload_node_certs(servers=self.servers)
        self.x509_new.delete_unused_out_of_the_box_CAs(server=self.master)
        self.x509_new.upload_client_cert_settings(server=self.servers[0])
        task = self.cluster.async_rebalance(self.servers[:self.nodes_init],
                                            self.servers[self.nodes_init:], [])

        self.wait_for_rebalance_to_complete(task)
        self.auth(servers=self.servers)
        self.validate_rbac_users_post_upgrade(self.master)
        self.validate_user_roles_sdk(self.master)
示例#12
0
 def test_teardown_with_n2n_encryption(self):
     """
     Verify that regenerate, deletion of trusted CAs work
     with n2n encryption turned on
     """
     CbServer.use_https = True
     for level in ["strict", "control", "all"]:
         self.x509 = x509main(host=self.master,
                              standard=self.standard,
                              encryption_type=self.encryption_type,
                              passphrase_type=self.passphrase_type,
                              wildcard_dns=self.wildcard_dns)
         self.x509.generate_multiple_x509_certs(
             servers=self.servers[:self.nodes_init])
         self.x509.upload_root_certs(self.master)
         self.x509.upload_node_certs(servers=self.servers[:self.nodes_init])
         ntonencryptionBase().setup_nton_cluster(
             [self.master], clusterEncryptionLevel=level)
         self.x509.teardown_certs(servers=self.servers)
         ntonencryptionBase().disable_nton_cluster([self.master])
示例#13
0
 def test_eventing_with_n2n_encryption_enabled(self):
     ntonencryptionBase().disable_nton_cluster([self.master])
     body = self.create_save_function_body(
         self.function_name, "handler_code/ABO/insert_rebalance.js")
     self.load_data_to_collection(self.docs_per_day * self.num_docs,
                                  "src_bucket._default._default")
     self.deploy_function(body)
     self.verify_doc_count_collections("dst_bucket._default._default",
                                       self.docs_per_day * self.num_docs)
     if self.pause_resume:
         self.pause_function(body)
     else:
         self.undeploy_function(body)
     ntonencryptionBase().setup_nton_cluster(
         self.servers, clusterEncryptionLevel=self.ntonencrypt_level)
     if self.pause_resume:
         self.resume_function(body)
     else:
         self.deploy_function(body)
     self.load_data_to_collection(self.docs_per_day * self.num_docs,
                                  "src_bucket._default._default",
                                  is_delete=True)
     self.verify_doc_count_collections("dst_bucket._default._default", 0)
     if self.pause_resume:
         self.pause_function(body)
     else:
         self.undeploy_function(body)
     ntonencryptionBase().setup_nton_cluster(self.servers,
                                             clusterEncryptionLevel="all")
     if self.pause_resume:
         self.resume_function(body)
     else:
         self.deploy_function(body)
     self.load_data_to_collection(self.docs_per_day * self.num_docs,
                                  "src_bucket._default._default")
     self.verify_doc_count_collections("dst_bucket._default._default",
                                       self.docs_per_day * self.num_docs)
     if self.pause_resume:
         self.pause_function(body)
     else:
         self.undeploy_function(body)
     ntonencryptionBase().disable_nton_cluster([self.master])
     if self.pause_resume:
         self.resume_function(body)
     else:
         self.deploy_function(body)
     self.load_data_to_collection(self.docs_per_day * self.num_docs,
                                  "src_bucket._default._default",
                                  is_delete=True)
     self.verify_doc_count_collections("dst_bucket._default._default", 0)
     self.undeploy_and_delete_function(body)
示例#14
0
    def test_view_system_events_settings_change(self):

        self._load_doc_data_all_buckets()
        for bucket in self.buckets:
            self._execute_ddoc_ops("create",
                                   self.test_with_view,
                                   self.num_ddocs,
                                   self.num_views_per_ddoc,
                                   bucket=bucket)

        self._wait_for_stats_all_buckets([self.master])

        self._verify_ddoc_ops_all_buckets()
        self._verify_ddoc_data_all_buckets()

        ntonencryptionBase().disable_nton_cluster([self.master])
        ntonencryptionBase().setup_nton_cluster([self.master])
        ntonencryptionBase().disable_nton_cluster([self.master])

        global_vars.system_event_logs.add_event(
            ViewsServiceEvents.DDoc_Settings_change(self.master))
        self.system_events.validate(server=self.master)
示例#15
0
    def test_multiple_CAs_online(self):
        """
        1. Init Pre-neo cluster with x509 (single CA)
        2. Online upgrade by rebalance-in and rebalance-out
        3. Optionally convert pkcs#1 key to encrypted pkcs#8 key in mixed mode cluster
        4. After cluster is fully upgraded, rotate certs to use pkcs#8 keys and multiple CAs
        """
        self.log.info("------------- test started-------------")
        self.generate_x509_certs(self.servers)
        self.upload_x509_certs(self.servers)
        ntonencryptionBase().setup_nton_cluster(servers=self.servers,
                                                clusterEncryptionLevel="all")
        nodes_to_upgrade = self.servers[self.nodes_init:]
        nodes_to_upgrade = nodes_to_upgrade[:self.nodes_init]
        self.log.info(
            "-------------Performing upgrade on node {0} to version------------- {1}"
            .format(nodes_to_upgrade, self.upgrade_version))
        upgrade_threads = self._async_update(
            upgrade_version=self.upgrade_version, servers=nodes_to_upgrade)
        for threads in upgrade_threads:
            threads.join()

        nodes_in_cluster = self.servers[:self.nodes_init]
        old_nodes = copy.deepcopy(nodes_in_cluster)
        for node in nodes_to_upgrade:
            self.log.info("Rebalance-in a Neo node {0}".format(node))
            task = self.cluster.async_rebalance(
                nodes_in_cluster, [node], [],
                services=["kv,n1ql,cbas,eventing,fts,index"])
            self.wait_for_rebalance_to_complete(task)
            nodes_in_cluster.append(node)

            node_out = old_nodes[-1]
            self.log.info("Rebalance-out a pre-Neo node {0}".format(node_out))
            task = self.cluster.async_rebalance(nodes_in_cluster, [],
                                                [node_out])
            self.wait_for_rebalance_to_complete(task)
            old_nodes.remove(node_out)
            for enode in nodes_in_cluster:
                if enode.ip == node_out.ip:
                    nodes_in_cluster.remove(enode)

            self.master = copy.deepcopy(node)
            if self.enc_key_mixed_mode:
                self.convert_to_pkcs8(node)
                self.reload_node_cert_with_plain_password(node)

        CbServer.use_https = True
        ntonencryptionBase().setup_nton_cluster(
            servers=nodes_in_cluster, clusterEncryptionLevel="strict")
        self._reset_original(nodes_in_cluster)
        self.x509_new = x509main(host=self.master,
                                 standard="pkcs8",
                                 encryption_type="aes256",
                                 passphrase_type="script")
        self.x509_new.generate_multiple_x509_certs(servers=nodes_in_cluster)
        for server in nodes_in_cluster:
            _ = self.x509_new.upload_root_certs(server)
        self.x509_new.upload_node_certs(servers=nodes_in_cluster)
        self.x509_new.delete_unused_out_of_the_box_CAs(server=self.master)
        self.x509_new.upload_client_cert_settings(server=nodes_in_cluster[0])
        self.auth(servers=nodes_in_cluster)
        self.validate_rbac_users_post_upgrade(self.master)
        self.validate_user_roles_sdk(self.master)
示例#16
0
    def validate_user_roles_sdk(self, server):
        """
        1. Create SDK connection
        2. Check whether users created before upgrade are able to write/read docs
            into the bucket post upgrade depending on their roles
        Written in accordance with python sdk version - 2.4
        """
        ntonencryptionBase().disable_nton_cluster(self.servers)
        CbServer.use_https = False

        for user in self.user_roles:
            # select users with data roles
            data_roles = [
                role for role in self.user_roles[user] if "data_" in role
            ]
            if data_roles:
                self.log.info("USERNAME -- {0}".format(user))

                # create sdk connection
                bucket_name = "travel-sample"
                url = 'couchbase://{ip}/{name}'.format(ip=server.ip,
                                                       name=bucket_name)
                if user == "bjones":
                    url = 'couchbase://{ip}/{name}?sasl_mech_force=PLAIN'.format(
                        ip=server.ip, name=bucket_name)
                bucket = Bucket(url, username=user, password="******")

                try:
                    # write/upsert into the doc
                    bucket.upsert('doc123', {'key123': 'value123'})
                except CouchbaseInputError:
                    if any("data_reader" in role for role in data_roles) or ("data_dcp_reader" in \
                        role for role in data_roles) or any("data_monitoring" in role for \
                        role in data_roles):
                        self.log.info(
                            "Write permission not granted as expected")
                    else:
                        self.fail(
                            "Validation failed. The user should have permission to "
                            "write to the given bucket")
                except CouchbaseError:
                    if any("data_writer" in role for role in data_roles) or any("data_backup" \
                       in role for role in data_roles):
                        self.log.info("Write permission granted as expected")
                    else:
                        self.fail(
                            "Validation failed. The user should not have permission to "
                            "write to the given bucket")
                else:
                    if any("data_writer" in role for role in data_roles) or any("data_backup" \
                        in role for role in data_roles):
                        self.log.info("Write permission granted as expected")
                    else:
                        self.fail(
                            "Validation failed. The user should not have permission to "
                            "write to the given bucket")

                try:
                    # read the doc
                    bucket.get('airline_10')
                except CouchbaseInputError:
                    if any("data_writer" in role for role in data_roles) or any("data_monitoring" \
                       in role for role in data_roles):
                        self.log.info(
                            "Read permission not granted as expected")
                    else:
                        self.fail(
                            "Validation failed. The user should have permission to "
                            "read the given bucket")
                except CouchbaseError:
                    if any("data_reader" in role for role in data_roles) or any("data_dcp_reader" \
                        in role for role in data_roles) or any("data_backup" in role for role \
                        in data_roles):
                        self.log.info("Read permission granted as expected")
                    else:
                        self.fail(
                            "Validation failed. The user should not have permission to "
                            "read the given bucket")
                else:
                    if any("data_reader" in role for role in data_roles) or any("data_dcp_reader" \
                        in role for role in data_roles) or any("data_backup" in role for role \
                        in data_roles):
                        self.log.info("Read permission granted as expected")
                    else:
                        self.fail(
                            "Validation failed. The user should not have permission to "
                            "read the given bucket")
示例#17
0
    def test_upgrade_with_ldap_root_cert(self):
        """
        1. Setup a cluster with x509 certs with n2n encryption enabled.
        2. Start an ldap container with a root certificate.
        3. Setup an ldap client connection from CB cluster to ldap server.
        4. Create an ldap user.
        5. Upgrade the CB cluster offline.
        6. Add ldap's root cert to cluster's trusted CAs and make ldap
        client connection from CB to ldap server using cluster's trusted CAs
        7. Validate ldap user authentication works
        """
        self.log.info("------------- test started-------------")
        self.generate_x509_certs(self.servers)
        self.upload_x509_certs(self.servers)
        ntonencryptionBase().setup_nton_cluster(servers=self.servers,
                                                clusterEncryptionLevel="all")

        # setup and start ldap container
        self.log.info("Setting up ldap container")
        self.docker = LdapContainer()
        shell = RemoteMachineShellConnection(self.master)
        self.docker.start_docker(shell)
        self.docker.stop_all_containers(shell)
        self.docker.remove_all_containers(shell)
        self.docker.start_ldap_container(shell)
        shell.disconnect()

        # Setup ldap config and add an ldap user
        self.log.info("Setting up ldap config and creating ldap user")
        param = self.get_ldap_params(
            hosts='ldap.example.org',
            port='636',
            encryption='TLS',
            bindDN='cn=admin,dc=example,dc=org',
            bindPass="******",
            serverCertValidation='false',
            userDNMapping='{"template":"cn=%u,dc=example,dc=org"}')
        self.setup_ldap_config(server=self.master, param=param)
        self.add_ldap_user(server=self.master, user_name=self.docker.ldap_user)

        for node in self.servers:
            self.log.info(
                "-------------Performing upgrade on node {0} to version------------- {1}"
                .format(node, self.upgrade_version))
            upgrade_threads = self._async_update(
                upgrade_version=self.upgrade_version, servers=[node])
            for threads in upgrade_threads:
                threads.join()
            self.log.info("Upgrade finished")

        # Add multiple CAs with strict level of n2n encryption
        CbServer.use_https = True
        ntonencryptionBase().setup_nton_cluster(
            servers=self.servers, clusterEncryptionLevel="strict")
        self._reset_original(self.servers)
        self.x509_new = x509main(host=self.master,
                                 standard="pkcs8",
                                 encryption_type="aes256",
                                 passphrase_type="script")
        self.x509_new.generate_multiple_x509_certs(servers=self.servers)
        for server in self.servers:
            _ = self.x509_new.upload_root_certs(server)
        self.x509_new.upload_node_certs(servers=self.servers)
        self.x509_new.delete_unused_out_of_the_box_CAs(server=self.master)

        # Upload ldap's root CA to cluster's trusted CAs
        self.log.info("Copying ldap CA to inbox/CA folder")
        # TODO: Change the hardcoded path (for now it's okay since the VM on which container is running is fixed )
        self.copy_file_from_slave_to_server(
            server=self.master,
            src=self.docker.ldap_ca,
            dst=
            "/opt/couchbase/var/lib/couchbase/inbox/CA/ldap_container_ca.crt")
        self.log.info("Uploading ldap CA to CB")
        self.x509_new.upload_root_certs(self.master)

        self.log.info("Changing ldap config to use CB trusted CAs")
        param = self.get_ldap_params(
            hosts=self.docker.hostname,
            port=str(self.docker.ssl_port),
            encryption='TLS',
            bindDN=self.docker.bindDN,
            bindPass=self.docker.bindPass,
            serverCertValidation='true',
            userDNMapping='{"template":"cn=%u,dc=example,dc=org"}')
        self.setup_ldap_config(server=self.master, param=param)

        # Validate ldap user post upgrade
        ldap_rest = RestConnection(self.master)
        ldap_rest.username = self.docker.ldap_user
        ldap_rest.password = self.docker.bindPass
        status, content, response = self.make_rest_call_with_ldap_user(
            ldap_rest=ldap_rest)
        if not status:
            self.fail(
                "Rest call with ldap user credentials failed with content "
                "{0}, response{1}".format(content, response))
示例#18
0
 def test_eventing_with_enforce_tls_feature(self):
     ntonencryptionBase().disable_nton_cluster([self.master])
     body = self.create_save_function_body(self.function_name,
                                           self.handler_code)
     self.load(self.gens_load,
               buckets=self.src_bucket,
               flag=self.item_flag,
               verify_data=False,
               batch_size=self.batch_size)
     self.deploy_function(body)
     self.verify_doc_count_collections("dst_bucket._default._default",
                                       self.docs_per_day * self.num_docs)
     if self.pause_resume:
         self.pause_function(body)
     else:
         self.undeploy_function(body)
     ntonencryptionBase().setup_nton_cluster(
         self.servers, clusterEncryptionLevel=self.ntonencrypt_level)
     if self.pause_resume:
         self.resume_function(body)
     else:
         self.deploy_function(body)
     self.load(self.gens_load,
               buckets=self.src_bucket,
               flag=self.item_flag,
               verify_data=False,
               batch_size=self.batch_size,
               op_type='delete')
     self.verify_doc_count_collections("dst_bucket._default._default", 0)
     if self.pause_resume:
         self.pause_function(body)
     else:
         self.undeploy_function(body)
     ntonencryptionBase().setup_nton_cluster(
         [self.master], clusterEncryptionLevel="strict")
     if self.pause_resume:
         self.resume_function(body)
     else:
         self.deploy_function(body)
     self.load(self.gens_load,
               buckets=self.src_bucket,
               flag=self.item_flag,
               verify_data=False,
               batch_size=self.batch_size)
     self.verify_doc_count_collections("dst_bucket._default._default",
                                       self.docs_per_day * self.num_docs)
     assert ClusterOperationHelper.check_if_services_obey_tls(
         servers=[self.master
                  ]), "Port binding after enforcing TLS incorrect"
     if self.pause_resume:
         self.pause_function(body)
     else:
         self.undeploy_function(body)
     ntonencryptionBase().setup_nton_cluster(
         self.servers, clusterEncryptionLevel=self.ntonencrypt_level)
     if self.pause_resume:
         self.resume_function(body)
     else:
         self.deploy_function(body)
     self.load(self.gens_load,
               buckets=self.src_bucket,
               flag=self.item_flag,
               verify_data=False,
               batch_size=self.batch_size,
               op_type='delete')
     self.verify_doc_count_collections("dst_bucket._default._default", 0)
     if self.pause_resume:
         self.pause_function(body)
     else:
         self.undeploy_function(body)
     ntonencryptionBase().disable_nton_cluster([self.master])
     if self.pause_resume:
         self.resume_function(body)
     else:
         self.deploy_function(body)
     self.load(self.gens_load,
               buckets=self.src_bucket,
               flag=self.item_flag,
               verify_data=False,
               batch_size=self.batch_size)
     self.verify_doc_count_collections("dst_bucket._default._default",
                                       self.docs_per_day * self.num_docs)
     self.undeploy_and_delete_function(body)
示例#19
0
    def test_n2n_encryption_enabled_rebalance_in_and_out_with_ddoc_ops(self):
        #assert if number of nodes_in and nodes_out are not sufficient
        self.assertTrue(self.num_servers > self.nodes_in + self.nodes_out,
                        "ERROR: Not enough nodes to do rebalance in and out")
        ntonencryptionBase().disable_nton_cluster([self.master])

        servs_in = self.servers[self.num_servers - self.nodes_in:]
        #subtract the servs_in from the list of servers
        servs_for_rebal = [
            serv for serv in self.servers if serv not in servs_in
        ]
        servs_out = servs_for_rebal[self.num_servers - self.nodes_in -
                                    self.nodes_out:]

        x509main().setup_cluster_nodes_ssl(servs_out)
        #list of server which will be available after the in/out operation
        servs_after_rebal = [
            serv for serv in self.servers if serv not in servs_out
        ]

        self.log.info(
            "create a cluster of all the available servers except nodes_in")
        self.cluster.rebalance(servs_for_rebal[:1], servs_for_rebal[1:], [])
        #ntonencryptionBase().disable_nton_cluster([self.master])
        # load initial documents
        self._load_doc_data_all_buckets()

        #start the rebalance in/out operation
        rebalance = self.cluster.async_rebalance(servs_for_rebal, servs_in,
                                                 servs_out)

        for bucket in self.buckets:
            self._execute_ddoc_ops("create",
                                   self.test_with_view,
                                   self.num_ddocs,
                                   self.num_views_per_ddoc,
                                   bucket=bucket)
            if self.ddoc_ops in ["update", "delete"]:
                self._execute_ddoc_ops(self.ddoc_ops,
                                       self.test_with_view,
                                       self.num_ddocs // 2,
                                       self.num_views_per_ddoc // 2,
                                       bucket=bucket)
        rebalance.result()
        self._wait_for_stats_all_buckets(servs_after_rebal)
        max_verify = None
        if self.num_items > 500000:
            max_verify = 100000

        encryption_result = ntonencryptionBase().setup_nton_cluster(
            [self.master], clusterEncryptionLevel="strict")
        self.assertTrue(encryption_result,
                        "Retries Exceeded. Cannot enable n2n encryption")

        self.cluster.async_rebalance(servs_for_rebal, servs_in, servs_out)

        self._verify_all_buckets(server=self.master,
                                 timeout=self.wait_timeout *
                                 15 if not self.dgm_run else None,
                                 max_verify=max_verify)
        self._verify_stats_all_buckets(
            servs_after_rebal,
            timeout=self.wait_timeout if not self.dgm_run else None)
        self._verify_ddoc_ops_all_buckets()
        if self.test_with_view:
            self._verify_ddoc_data_all_buckets()
        assert ClusterOperationHelper.check_if_services_obey_tls(
            servers=[self.master
                     ]), "Port binding after enforcing TLS incorrect"