From 261bb179f4020771a5acb2c655df4ecd6b22e852 Mon Sep 17 00:00:00 2001
From: Patrik Holmqvist <pahol@sunet.se>
Date: Wed, 15 Jan 2025 16:36:58 +0100
Subject: [PATCH] Update restore scripts

---
 .../run-failed-restore.expect                 | 22 +++++++++++++++++++
 .../baas2_restoretest/run-restore.expect      |  7 ------
 .../run-successful-restore.expect             | 20 +++++++++++++++++
 .../baas2_restoretest/validate-backup-files   | 22 +++++++++++++++++--
 4 files changed, 62 insertions(+), 9 deletions(-)
 create mode 100644 global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-failed-restore.expect
 delete mode 100644 global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-restore.expect
 create mode 100644 global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-successful-restore.expect

diff --git a/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-failed-restore.expect b/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-failed-restore.expect
new file mode 100644
index 0000000..a7224f7
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-failed-restore.expect
@@ -0,0 +1,22 @@
+#!/usr/bin/expect
+set nodename [lindex $argv 0]
+
+set exit_val 1
+set enc_password "bogus_password"
+
+spawn dsmc restore /opt/backup-test/ /opt/restore-target/ -asnodename=$nodename -subdir=yes
+expect "Action \\\[1,2,3,A\\\] : " {
+  send -- "1\r"
+  expect -exact "Enter encryption key password: "
+  send -- "$enc_password\r"
+  expect -exact "Confirm encryption key password: "
+  send -- "$enc_password\r"
+}
+expect "ANS8013I Invalid encryption key password" {
+  set exit_val 0
+  expect "Action \\\[1,2,3,A\\\] : "
+  send -- "A\r"
+}
+
+expect eof
+exit $exit_val
diff --git a/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-restore.expect b/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-restore.expect
deleted file mode 100644
index 0ac9f87..0000000
--- a/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-restore.expect
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/usr/bin/expect
-set nodename [lindex $argv 0]
-set enc_password [lindex $argv 1]
-
-spawn dsmc restore /opt/backup-test/ /opt/restore-target/ -asnodename=$nodename -subdir=yes
-expect -exact "Action [1,2,3,A] : "
-send -- "$enc_password\r"
\ No newline at end of file
diff --git a/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-successful-restore.expect b/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-successful-restore.expect
new file mode 100644
index 0000000..b1f3a63
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/run-successful-restore.expect
@@ -0,0 +1,20 @@
+#!/usr/bin/expect
+set nodename [lindex $argv 0]
+set enc_password [lindex $argv 1]
+
+set exit_val 1
+
+spawn dsmc restore /opt/backup-test/ /opt/restore-target/ -asnodename=$nodename -subdir=yes
+expect "Action \\\[1,2,3,A\\\] : " {
+  send -- "1\r"
+  expect -exact "Enter encryption key password: " {
+    send -- "$enc_password\r"
+  }
+  expect -exact "Confirm encryption key password: " {
+    send -- "$enc_password\r"
+  }
+  expect "Restore processing finished." {
+    set exit_val 0
+  }
+}
+exit $exit_val
diff --git a/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/validate-backup-files b/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/validate-backup-files
index d3d705f..3e68b34 100755
--- a/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/validate-backup-files
+++ b/global/overlay/etc/puppet/modules/net/files/baas2_restoretest/validate-backup-files
@@ -1,11 +1,29 @@
 #!/usr/bin/env bash
+# This script is intended to validate that:
+#  - restore of an encrypted backup is unsuccessuful if wrong encrypted password is provided
+#  - restore of an encypted backup is successfil if the correct encryption password is provided
 nodename=$1
 
+if [ -z "$nodename" ]; then
+  echo "usage: $0 <nodename>"
+  exit 1
+fi
+
 set -eu
 
 restoretarget=/opt/restore-target
-rm /opt/restore-target/*
 
+# We want to start clean without files for each run to avoid getting qeustions about replace
+rm -f $restoretarget/*
+
+# Get the encryption password for the server that we want to do "proxy" restore from
 enc_password=$(eyaml decrypt -f /etc/hiera/data/local.eyaml --pkcs7-private-key=/etc/hiera/eyaml/private_key.pkcs7.pem --pkcs7-public-key=/etc/hiera/eyaml/public_certkey.pkcs7.pem | awk '/^baas2_restoretest_encryption_password: /{print $2}')
 
-/opt/baas2/run-restore.expect $nodename $enc_password
+# Run expect script that should do a failed restore (wrong password) (and exit 0 if it failes)
+/opt/baas2/run-failed-restore.expect "$nodename"
+
+# Run expect script that cancel any pending/open restores (which is an excpected result of the failed restore above)
+/opt/baas2/cancel-restore.expect "$nodename"
+
+# Run expect script that uses the correct encryption password and does a successful restore
+/opt/baas2/run-successful-restore.expect "$nodename" "$enc_password"