[automate-2916] v2 with no legacy policies -> force-upgrade to latest…

… v2 integration test (#3009) * add v2 with no legacy force-upgrade to v2 we want to make sure that customers currently using v2 without v1 legacy policies are not disrupted by the force-upgrade. v1 legacy policies should not reappear. Signed-off-by: Brenna Hewer-Darroch <[email protected]>
chef · Mar 16, 2020 · 87aaef8 · 87aaef8
1 parent d034824
commit 87aaef8
Show file tree

Hide file tree

Showing 6 changed files with 210 additions and 15 deletions.
diff --git a/.expeditor/verify_private.pipeline.yml b/.expeditor/verify_private.pipeline.yml
@@ -448,6 +448,32 @@ steps:
         linux:
           privileged: true
 
+  - label: "iam v2 force-upgrade to v2 with no legacy policies"
+    command:
+      - integration/run_test integration/tests/iam_v2_no_legacy_to_v2_force_upgrade.sh
+    timeout_in_minutes: 20
+    expeditor:
+      secrets:
+        A2_LICENSE:
+          path: secret/a2/license
+          field: license
+      executor:
+        linux:
+          privileged: true
+
+  - label: "iam v2 force-upgrade to v2 with no legacy policies (diagnostics only)"
+    command:
+      - integration/run_test integration/tests/iam_v2_no_legacy_to_v2_force_upgrade_diagnostics.sh
+    timeout_in_minutes: 20
+    expeditor:
+      secrets:
+        A2_LICENSE:
+          path: secret/a2/license
+          field: license
+      executor:
+        linux:
+          privileged: true
+
   - label: "a1migration"
     command:
       - integration/run_test integration/tests/a1migration.sh

diff --git a/components/automate-deployment/testdata/old_manifests/20200127203438.json b/components/automate-deployment/testdata/old_manifests/20200127203438.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1",
+  "hab_build": "core/hab/0.90.6/20191112141314",
+  "build": "20200127203438",
+  "hab": [
+    "core/hab/0.90.6/20191112141314",
+    "core/hab-sup/0.90.6/20191112144831",
+    "core/hab-launcher/12605/20191112144831"
+  ],
+  "git_sha": "7f60624468e5a1bef0c97e259bb9584d77c8836b",
+  "packages": [
+    "chef/applications-service/1.0.0/20200124224700",
+    "chef/authn-service/0.1.0/20200116172807",
+    "chef/authz-service/0.1.0/20200123224306",
+    "chef/automate-builder-api-proxy/0.1.0/20200116172549",
+    "chef/automate-builder-api/0.1.0/20200116172550",
+    "chef/automate-builder-memcached/1.5.19/20191213155031",
+    "chef/automate-chef-io/0.1.0/20200127203210",
+    "chef/automate-cli/0.1.0/20200127203210",
+    "chef/automate-cs-bookshelf/13.0.47/20200116172605",
+    "chef/automate-cs-nginx/13.0.47/20191211135046",
+    "chef/automate-cs-oc-bifrost/13.0.47/20200116172605",
+    "chef/automate-cs-oc-erchef/13.0.47/20200116172605",
+    "chef/automate-dex/0.1.0/20200116172759",
+    "chef/automate-elasticsearch/6.8.3/20191217225932",
+    "chef/automate-es-gateway/0.1.0/20200116172742",
+    "chef/automate-gateway/0.1.0/20200124224700",
+    "chef/automate-load-balancer/0.1.0/20191220184028",
+    "chef/automate-minio/0.1.0/20200116172549",
+    "chef/automate-pg-gateway/0.0.1/20191115161408",
+    "chef/automate-postgresql/9.6.11/20190409151101",
+    "chef/automate-prometheus/0.1.0/20191115161408",
+    "chef/automate-ui/2.0.0/20200126232616",
+    "chef/automate-workflow-nginx/2.8.61/20200115202531",
+    "chef/automate-workflow-server/2.8.61/20200116173311",
+    "chef/backup-gateway/0.1.0/20200116172819",
+    "chef/cereal-service/0.1.0/20200116172549",
+    "chef/compliance-service/1.11.1/20200123224306",
+    "chef/config-mgmt-service/0.1.0/20200123224437",
+    "chef/data-feed-service/1.0.0/20200122184156",
+    "chef/data-lifecycle-service/0.0.1/20191101111721",
+    "chef/deployment-service/0.1.0/20200127203210",
+    "chef/es-sidecar-service/1.0.0/20200116171921",
+    "chef/event-feed-service/1.0.0/20200116172911",
+    "chef/event-gateway/0.1.0/20200116172737",
+    "chef/event-service/0.1.0/20200123224521",
+    "chef/ingest-service/0.1.0/20200122184114",
+    "chef/license-control-service/1.0.0/20200126022722",
+    "chef/local-user-service/0.1.0/20200122195518",
+    "chef/nodemanager-service/1.0.0/20200123224437",
+    "chef/notifications-service/1.0.0/20200116172550",
+    "chef/pg-sidecar-service/0.0.1/20200116172742",
+    "chef/secrets-service/1.0.0/20200116172641",
+    "chef/session-service/0.1.0/20200116172633",
+    "chef/teams-service/0.1.0/20200116172550",
+    "core/rsync/3.1.3/20190909001447"
+  ]
+}
diff --git a/integration/tests/iam_v1_to_v2_force_upgrade.sh b/integration/tests/iam_v1_to_v2_force_upgrade.sh
@@ -1,11 +1,26 @@
 #!/bin/bash
 
+# this test script:
+# 1. deploys an older version of Automate on IAM v1.
+# 2. runs inspec tests to verify IAM v1 behavior.
+# 3. upgrades Automate to the latest build. This force-upgrades the system to IAM v2.
+# 4. runs inspec tests to verify that the system was not disrupted by the force-upgrade
+#    and legacy policies continue to be enforced.
+
 #shellcheck disable=SC2034
 test_name="iam_v1_force_upgrade_to_v2"
 test_upgrades=true
 test_upgrade_strategy="none"
+
+# a2-iam-v1-integration verifies default policy permissions on an IAM v1 system
 test_deploy_inspec_profiles=(a2-iam-v1-integration)
-test_upgrade_inspec_profiles=(a2-iam-legacy-integration a2-api-integration)
+
+# a2-deploy-integration verifies that the system is up and all APIs work correctly
+# (which now includes only IAM v2 APIs)
+# a2-iam-legacy-integration verifies that v1 default policies were migrated 
+# and their permissions are enforced just like on v1
+test_upgrade_inspec_profiles=(a2-deploy-integration a2-iam-legacy-integration)
+
 # Note: we can't run diagnostics AND inspec, so skip diagnostics
 test_skip_diagnostics=true
 
@@ -14,11 +29,6 @@ OLD_VERSION=20190501153509
 OLD_MANIFEST_DIR="${A2_ROOT_DIR}/components/automate-deployment/testdata/old_manifests/"
 DEEP_UPGRADE_PATH="${OLD_MANIFEST_DIR}/${OLD_VERSION}.json"
 
-# this test script:
-# 1. deploys an older version of Automate on IAM v1.
-# 2. runs a2-iam-v1-integration inspec tests.
-# 3. upgrades Automate to the latest build. This force-upgrades the system to IAM v2.
-# 4. runs a2-iam-legacy-integration and a2-api-integration inspec tests.
 
 do_deploy() {
     #shellcheck disable=SC2154

diff --git a/integration/tests/iam_v1_to_v2_force_upgrade_diagnostics.sh b/integration/tests/iam_v1_to_v2_force_upgrade_diagnostics.sh
@@ -1,5 +1,15 @@
 #!/bin/bash
 
+# this test script:
+# 1. deploys an older version of Automate on IAM v1
+# 2. runs diagnostics without cleaning up the data. all v2 diagnostics are skipped 
+#    because the system is on v1.
+# 3. upgrades Automate to the latest build. This force-upgrades the system to IAM v2.
+# 4. runs diagnostics, verify and cleanup steps only. 
+#    since projects and roles were not generated, it skips those two. 
+#    the v2 policies diagnostic verifies the v1 policy that was migrated to v2. 
+#    the v1 policy diagnostic is skipped because the system is on v2.
+
 #shellcheck disable=SC2034
 test_name="iam_v1_force_upgrade_to_v2_diagnostics"
 test_upgrades=true
@@ -14,15 +24,6 @@ OLD_VERSION=20190501153509
 OLD_MANIFEST_DIR="${A2_ROOT_DIR}/components/automate-deployment/testdata/old_manifests/"
 DEEP_UPGRADE_PATH="${OLD_MANIFEST_DIR}/${OLD_VERSION}.json"
 
-# this test script:
-# 1. deploys an older version of Automate on IAM v1
-# 2. runs diagnostics without cleaning up the data. all v2 diagnostics are skipped because the system is on v1.
-# 3. upgrades Automate to the latest build. This force-upgrades the system to IAM v2.
-# 4. runs diagnostics, verify and cleanup steps only. 
-#    since projects and roles were not generated, it skips those two. 
-#    the v2 policies diagnostic verifies the v1 policy that was migrated to v2. 
-#    the v1 policy diagnostic is skipped because the system is on v2.
-
 do_deploy() {
     #shellcheck disable=SC2154
     cp "$DEEP_UPGRADE_PATH" "$test_manifest_path"

diff --git a/integration/tests/iam_v2_no_legacy_to_v2_force_upgrade.sh b/integration/tests/iam_v2_no_legacy_to_v2_force_upgrade.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# this test script:
+# 1. deploys an older version of Automate and upgrades it to v2 using the beta CLI,
+#    skipping v1 policy migration.
+# 2. runs inspec tests to verify IAM v2 behavior without legacy policies.
+# 3. upgrades Automate to the latest build. This force-upgrades the system to IAM v2.
+# 4. runs inspec tests to verify that the system was not disrupted by the force-upgrade
+#    and no legacy policies were migrated.
+
+#shellcheck disable=SC2034
+test_name="iam_force_upgrade_to_v2_with_no_legacy"
+test_upgrades=true
+test_upgrade_strategy="none"
+
+# a2-iam-no-legacy-integration verifies permissions on an IAM v2 system 
+# without v1 legacy policies
+test_deploy_inspec_profiles=(a2-iam-no-legacy-integration)
+
+# a2-deploy-integration verifies that the system is up and all APIs work correctly
+# (which now includes only IAM v2 APIs)
+# a2-iam-no-legacy-integration verifies permission enforcement on a fresh IAM v2
+# system with no v1 legacy policies enforced
+test_upgrade_inspec_profiles=(a2-deploy-integration a2-iam-no-legacy-integration)
+
+# Note: we can't run diagnostics AND inspec, so skip diagnostics
+test_skip_diagnostics=true
+
+# on this version, we released IAM v2 GA
+OLD_VERSION=20200127203438
+OLD_MANIFEST_DIR="${A2_ROOT_DIR}/components/automate-deployment/testdata/old_manifests/"
+DEEP_UPGRADE_PATH="${OLD_MANIFEST_DIR}/${OLD_VERSION}.json"
+
+do_deploy() {
+    #shellcheck disable=SC2154
+    cp "$DEEP_UPGRADE_PATH" "$test_manifest_path"
+
+    # we use the CLI for the old version of Automate we want to deploy
+    local cli_bin="/bin/chef-automate-${OLD_VERSION}"
+
+    download_cli "${OLD_VERSION}" "${cli_bin}"
+
+    #shellcheck disable=SC2154
+    "${cli_bin}" deploy "$test_config_path" \
+        --hartifacts "$test_hartifacts_path" \
+        --override-origin "$HAB_ORIGIN" \
+        --manifest-dir "$test_manifest_path" \
+        --admin-password chefautomate \
+        --accept-terms-and-mlsa \
+        --skip-preflight \
+        --debug
+
+    "${cli_bin}" iam upgrade-to-v2 --skip-policy-migration
+}
diff --git a/integration/tests/iam_v2_no_legacy_to_v2_force_upgrade_diagnostics.sh b/integration/tests/iam_v2_no_legacy_to_v2_force_upgrade_diagnostics.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# this test script:
+# 1. deploys an older version of Automate and upgrades it to v2 using the beta CLI,
+#    skipping v1 policy migration.
+# 2. runs diagnostics without cleaning up the data. all v1 diagnostics are skipped 
+#    because the system is on v2.
+# 3. upgrades Automate to the latest build. This force-upgrades the system to IAM v2.
+# 4. runs diagnostics, verify and cleanup steps only. 
+#    all v1 diagnostics are skipped.
+
+#shellcheck disable=SC2034
+test_name="iam_force_upgrade_to_v2_with_no_legacy"
+test_upgrades=true
+test_upgrade_strategy="none"
+test_diagnostics_pre_upgrade_filters="~skip-for-deep-upgrade"
+
+# Note: we can't run diagnostics AND inspec, so we don't include any inspec tests
+test_skip_diagnostics=false
+
+# on this version, we released IAM v2 GA
+OLD_VERSION=20200127203438
+OLD_MANIFEST_DIR="${A2_ROOT_DIR}/components/automate-deployment/testdata/old_manifests/"
+DEEP_UPGRADE_PATH="${OLD_MANIFEST_DIR}/${OLD_VERSION}.json"
+
+do_deploy() {
+    #shellcheck disable=SC2154
+    cp "$DEEP_UPGRADE_PATH" "$test_manifest_path"
+
+    # we use the CLI for the old version of Automate we want to deploy
+    local cli_bin="/bin/chef-automate-${OLD_VERSION}"
+
+    download_cli "${OLD_VERSION}" "${cli_bin}"
+
+    #shellcheck disable=SC2154
+    "${cli_bin}" deploy "$test_config_path" \
+        --hartifacts "$test_hartifacts_path" \
+        --override-origin "$HAB_ORIGIN" \
+        --manifest-dir "$test_manifest_path" \
+        --admin-password chefautomate \
+        --accept-terms-and-mlsa \
+        --skip-preflight \
+        --debug
+
+    "${cli_bin}" iam upgrade-to-v2 --skip-policy-migration
+}