def test_full_backup_and_restore_with_selinux_booleans_off(self): """regression test for https://fedorahosted.org/freeipa/ticket/4157""" with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) logger.info('Backup path for %s is %s', self.master, backup_path) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) self.master.run_command([ 'setsebool', '-P', 'httpd_can_network_connect=off', 'httpd_manage_ipa=off', ]) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') result = self.master.run_command([ 'getsebool', 'httpd_can_network_connect', 'httpd_manage_ipa', ]) assert 'httpd_can_network_connect --> on' in result.stdout_text assert 'httpd_manage_ipa --> on' in result.stdout_text
def test_restore_trust_pkg_before_restore(self): """Test restore with adtrust when trust-ad pkg is missing. Test for bug https://pagure.io/freeipa/issue/7630. """ tasks.install_packages(self.master, ['*ipa-server-trust-ad']) self.master.run_command(['ipa-adtrust-install', '-U', '--enable-compat', '--netbios-name', 'IPA', '-a', self.master.config.admin_password, '--add-sids']) with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) tasks.uninstall_packages(self.master, ['*ipa-server-trust-ad']) dirman_password = self.master.config.dirman_password result = self.master.run_command( ['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes', raiseonerr=False) assert 'Please install the package' in result.stderr_text tasks.install_packages(self.master, ['*ipa-server-trust-ad']) self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes')
def test_full_backup_and_restore(self): """backup, uninstall, restore""" with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) assert not self.master.transport.file_exists( paths.IPA_CUSTODIA_KEYS) assert not self.master.transport.file_exists( paths.IPA_CUSTODIA_CONF) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # check the file permssion and ownership is set to 770 and # dirsrv:dirsrv after restore on /var/log/dirsrv/slapd-<instance> # related ticket : https://pagure.io/freeipa/issue/7725 instance = realm_to_serverid(self.master.domain.realm) log_path = paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % instance cmd = self.master.run_command(['stat', '-c', '"%a %G:%U"', log_path]) assert "770 dirsrv:dirsrv" in cmd.stdout_text
def test_replica_install_after_restore(self): master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] tasks.install_master(master) tasks.install_replica(master, replica1) check_replication(master, replica1, "testuser1") # backup master. backup_path = tasks.get_backup_dir(self.master) suffix = ipautil.realm_to_suffix(master.domain.realm) suffix = escape_dn_chars(str(suffix)) entry_ldif = ( "dn: cn=meTo{hostname},cn=replica," "cn={suffix}," "cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off\n\n" "dn: cn=caTo{hostname},cn=replica," "cn=o\\3Dipaca,cn=mapping tree,cn=config\n" "changetype: modify\n" "replace: nsds5ReplicaEnabled\n" "nsds5ReplicaEnabled: off").format( hostname=replica1.hostname, suffix=suffix) # disable replication agreement tasks.ldapmodify_dm(master, entry_ldif) # uninstall master. tasks.uninstall_master(master, clean=False) # master restore. dirman_password = master.config.dirman_password master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # re-initialize topology after restore. topo_name = "{}-to-{}".format(master.hostname, replica1.hostname) for topo_suffix in 'domain', 'ca': arg = ['ipa', 'topologysegment-reinitialize', topo_suffix, topo_name, '--left'] replica1.run_command(arg) # wait sometime for re-initialization tasks.wait_for_replication(replica1.ldap_connect()) # install second replica after restore tasks.install_replica(master, replica2) check_replication(master, replica2, "testuser2")
def test_userroot_ldif_files_ownership_and_permission(self): """backup, uninstall, restore, backup""" tasks.install_master(self.master) backup_path = tasks.get_backup_dir(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) # set umask to 077 just to check if restore success. self.master.run_command('echo "umask 0077" >> /root/.bashrc') result = self.master.run_command(['umask']) assert '0077' in result.stdout_text dirman_password = self.master.config.dirman_password result = self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') assert 'Temporary setting umask to 022' in result.stderr_text # check if umask reset to 077 after restore. result = self.master.run_command(['umask']) assert '0077' in result.stdout_text # check if files have proper owner and group. dashed_domain = self.master.domain.realm.replace(".", '-') arg = ['stat', '-c', '%U:%G', '{}/ldif/'.format( paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % dashed_domain)] cmd = self.master.run_command(arg) expected = '{}:{}'.format(constants.DS_USER, constants.DS_GROUP) assert expected in cmd.stdout_text # also check of access rights are set to 644. arg = ['stat', '-c', '%U:%G:%a', '{}/ldif/{}-ipaca.ldif'.format( paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % dashed_domain, dashed_domain)] cmd = self.master.run_command(arg) assert '{}:644'.format(expected) in cmd.stdout_text arg = ['stat', '-c', '%U:%G:%a', '{}/ldif/{}-userRoot.ldif'.format( paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE % dashed_domain, dashed_domain)] cmd = self.master.run_command(arg) assert '{}:644'.format(expected) in cmd.stdout_text cmd = self.master.run_command(['ipa-backup', '-d']) unexp_str = "CRITICAL: db2ldif failed:" assert cmd.returncode == 0 assert unexp_str not in cmd.stdout_text
def test_restore_bad_dm_password(self): """backup, uninstall, restore, wrong DM password (expect failure)""" with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) # No uninstall, just pure restore, the only case where # prompting for the DM password matters. result = self.master.run_command(['ipa-restore', backup_path], stdin_text='badpass\nyes', raiseonerr=False) assert result.returncode == 1
def test_restore_dirsrv_not_running(self): """backup, restore, dirsrv not running (expect failure)""" # Flying blind without the restore_checker so we can have # an error thrown when dirsrv is down. backup_path = tasks.get_backup_dir(self.master) self.master.run_command(['ipactl', 'stop']) dirman_password = self.master.config.dirman_password result = self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes', raiseonerr=False) assert result.returncode == 1
def _full_backup_restore_with_DNS_zone(self, reinstall=False): """backup, uninstall, restore. Test for bug https://pagure.io/freeipa/issue/7630. """ with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, ]) tasks.resolve_record(self.master.ip, self.example_test_zone) backup_path = tasks.get_backup_dir(self.master) self.master.run_command( ['ipa-server-install', '--uninstall', '-U']) tasks.uninstall_packages(self.master, ['*ipa-server-dns']) dirman_password = self.master.config.dirman_password result = self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes', raiseonerr=False) assert 'Please install the package' in result.stderr_text tasks.install_packages(self.master, ['*ipa-server-dns']) if reinstall: tasks.install_master(self.master, setup_dns=True) self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') if reinstall: # If the server was reinstalled, reinstall may have changed # the uid and restore reverts to the original value. # clear the cache to make sure we get up-to-date values tasks.clear_sssd_cache(self.master) tasks.resolve_record(self.master.ip, self.example_test_zone) tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, ]) tasks.resolve_record(self.master.ip, self.example2_test_zone)
def _full_backup_restore_with_vault(self, reinstall=False): with restore_checker(self.master): # create vault self.master.run_command([ "ipa", "vault-add", self.vault_name, "--password", self.vault_password, "--type", "symmetric", ]) # archive secret self.master.run_command([ "ipa", "vault-archive", self.vault_name, "--password", self.vault_password, "--data", self.vault_data, ]) # retrieve secret self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ]) backup_path = tasks.get_backup_dir(self.master) # check that no error message in uninstall log for KRA instance cmd = self.master.run_command(['ipa-server-install', '--uninstall', '-U']) assert "failed to uninstall KRA" not in cmd.stderr_text if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.kinit_admin(self.master) # retrieve secret after restore self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ])
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False): with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, '--dnssec', 'true', ]) assert (wait_until_record_is_signed( self.master.ip, self.example_test_zone)), "Zone is not signed" backup_path = tasks.get_backup_dir(self.master) self.master.run_command( ['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') if reinstall: # If the server was reinstalled, reinstall may have changed # the uid and restore reverts to the original value. # clear the cache to make sure we get up-to-date values tasks.clear_sssd_cache(self.master) assert (wait_until_record_is_signed( self.master.ip, self.example_test_zone)), "Zone is not signed after restore" tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, '--dnssec', 'true', ]) assert (wait_until_record_is_signed( self.master.ip, self.example2_test_zone)), "A new zone is not signed"
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False): with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, '--dnssec', 'true', ]) assert ( wait_until_record_is_signed( self.master.ip, self.example_test_zone) ), "Zone is not signed" backup_path = tasks.get_backup_dir(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') assert ( wait_until_record_is_signed( self.master.ip, self.example_test_zone) ), "Zone is not signed after restore" tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, '--dnssec', 'true', ]) assert ( wait_until_record_is_signed( self.master.ip, self.example2_test_zone) ), "A new zone is not signed"
def _full_backup_restore_with_DNS_zone(self, reinstall=False): """backup, uninstall, restore. Test for bug https://pagure.io/freeipa/issue/7630. """ with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, ]) tasks.resolve_record(self.master.ip, self.example_test_zone) backup_path = tasks.get_backup_dir(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) tasks.uninstall_packages(self.master, ['*ipa-server-dns']) dirman_password = self.master.config.dirman_password result = self.master.run_command( ['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes', raiseonerr=False) assert 'Please install the package' in result.stderr_text tasks.install_packages(self.master, ['*ipa-server-dns']) if reinstall: tasks.install_master(self.master, setup_dns=True) self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.resolve_record(self.master.ip, self.example_test_zone) tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, ]) tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_idp_backup_restore(self): """ Test case to check that after restore data is retrieved with related idp configuration. """ tasks.kinit_admin(self.master) user = "******" cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak", "--client-id=ipa_oidc_client", "--org=master", "--base-url={0}:8443/auth".format(self.client.hostname)] self.master.run_command(cmd, stdin_text="{0}\n{0}".format( self.client.config.admin_password)) tasks.user_add(self.master, user, extra_args=["--user-auth-type=idp", "[email protected]", "--idp=testidp"] ) backup_path = tasks.get_backup_dir(self.master) # change data after backup self.master.run_command(['ipa', 'user-del', user]) self.master.run_command(['ipa', 'idp-del', 'testidp']) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') try: list_user = self.master.run_command( ['ipa', 'user-show', 'backupuser', '--all'] ).stdout_text assert "External IdP configuration: testidp" in list_user assert "User authentication types: idp" in list_user assert ("External IdP user identifier: " "*****@*****.**") in list_user list_idp = self.master.run_command(['ipa', 'idp-find', 'testidp']) assert "testidp" in list_idp.stdout_text kinit_idp(self.master, user, self.client) finally: tasks.kdestroy_all(self.master) tasks.kinit_admin(self.master) self.master.run_command(["rm", "-rf", backup_path]) self.master.run_command(["ipa", "idp-del", "testidp"])
def test_full_backup_and_restore_with_removed_users(self): """regression test for https://fedorahosted.org/freeipa/ticket/3866""" with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) logger.info('Backup path for %s is %s', self.master, backup_path) self.master.run_command( ['ipa-server-install', '--uninstall', '-U']) homedir = os.path.join(self.master.config.test_dir, 'testuser_homedir') self.master.run_command( ['useradd', 'ipatest_user1', '--system', '-d', homedir]) try: dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') finally: self.master.run_command(['userdel', 'ipatest_user1'])
def test_hidden_replica_backup_and_restore(self): """Exercises backup+restore and hidden replica uninstall """ self._check_server_role(self.replicas[0], 'hidden') # backup backup_path = tasks.get_backup_dir(self.replicas[0]) # uninstall tasks.uninstall_master(self.replicas[0]) # restore dirman_password = self.master.config.dirman_password self.replicas[0].run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.kinit_admin(self.master) tasks.kinit_admin(self.replicas[0]) # restore turns a hidden replica into an enabled replica # https://pagure.io/freeipa/issue/7894 self._check_config([self.master, self.replicas[0]]) self._check_server_role(self.replicas[0], 'enabled')
def test_hidden_replica_backup_and_restore(self): """Exercises backup+restore and hidden replica uninstall """ self._check_server_role(self.replicas[0], 'hidden') # backup backup_path = tasks.get_backup_dir(self.replicas[0]) # uninstall tasks.uninstall_master(self.replicas[0]) # restore dirman_password = self.master.config.dirman_password self.replicas[0].run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # give replication some time time.sleep(5) tasks.kinit_admin(self.replicas[0]) # FIXME: restore turns hidden replica into enabled replica self._check_config([self.master, self.replicas[0]]) self._check_server_role(self.replicas[0], 'enabled')
def test_full_backup_and_restore_with_replica(self, cert_sign_request): # check prerequisites self.check_replication_success(self.master) self.check_replication_success(self.replica1) self.master.run_command( ['ipa', 'service-add', 'TEST/' + self.master.hostname]) tasks.user_add(self.master, 'test1_master') tasks.user_add(self.replica1, 'test1_replica') with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) # change data after backup self.master.run_command(['ipa', 'user-del', 'test1_master']) self.replica1.run_command(['ipa', 'user-del', 'test1_replica']) tasks.user_add(self.master, 'test2_master') tasks.user_add(self.replica1, 'test2_replica') # simulate master crash self.master.run_command(['ipactl', 'stop']) tasks.uninstall_master(self.master, clean=False) logger.info("Stopping and disabling oddjobd service") self.master.run_command([ "systemctl", "stop", "oddjobd" ]) self.master.run_command([ "systemctl", "disable", "oddjobd" ]) self.master.run_command(['ipa-restore', '-U', backup_path]) status = self.master.run_command([ "systemctl", "status", "oddjobd" ]) assert "active (running)" in status.stdout_text # replication should not work after restoration # create users to force master and replica to try to replicate tasks.user_add(self.master, 'test3_master') tasks.user_add(self.replica1, 'test3_replica') self.check_replication_error(self.master) self.check_replication_error(self.replica1) assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \ self.get_users(self.master) assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \ self.get_users(self.replica1) # reestablish and check replication self.replica1.run_command(['ipa-replica-manage', 're-initialize', '--from', self.master.hostname]) # create users to force master and replica to try to replicate tasks.user_add(self.master, 'test4_master') tasks.user_add(self.replica1, 'test4_replica') self.check_replication_success(self.master) self.check_replication_success(self.replica1) assert {'admin', 'test1_master', 'test1_replica', 'test3_master', 'test4_master', 'test4_replica'} == \ self.get_users(self.master) assert {'admin', 'test1_master', 'test1_replica', 'test3_master', 'test4_master', 'test4_replica'} == \ self.get_users(self.replica1) # CA on master should be accesible from master and replica self.request_test_service_cert( self.master, cert_sign_request[self.master.hostname]) self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname]) # replica should not be able to sign certificates without CA on master self.master.run_command(['ipactl', 'stop']) try: self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname], expect_connection_error=True) finally: self.master.run_command(['ipactl', 'start']) tasks.install_ca(self.replica1) # now replica should be able to sign certificates without CA on master self.master.run_command(['ipactl', 'stop']) self.request_test_service_cert( self.replica1, cert_sign_request[self.replica1.hostname]) self.master.run_command(['ipactl', 'start']) # check installation of new replica tasks.install_replica(self.master, self.replica2, setup_ca=True) check_replication(self.master, self.replica2, "testuser") # new replica should be able to sign certificates without CA on master # and old replica self.master.run_command(['ipactl', 'stop']) self.replica1.run_command(['ipactl', 'stop']) try: self.request_test_service_cert( self.replica2, cert_sign_request[self.replica2.hostname]) finally: self.replica1.run_command(['ipactl', 'start']) self.master.run_command(['ipactl', 'start'])
def _full_backup_restore_with_vault(self, reinstall=False): with restore_checker(self.master): # create vault self.master.run_command([ "ipa", "vault-add", self.vault_name, "--password", self.vault_password, "--type", "symmetric", ]) # archive secret self.master.run_command([ "ipa", "vault-archive", self.vault_name, "--password", self.vault_password, "--data", self.vault_data, ]) # retrieve secret self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ]) backup_path = tasks.get_backup_dir(self.master) # check that no error message in uninstall log for KRA instance cmd = self.master.run_command( ['ipa-server-install', '--uninstall', '-U']) assert "failed to uninstall KRA" not in cmd.stderr_text if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') if reinstall: # If the server was reinstalled, reinstall may have changed # the uid and restore reverts to the original value. # clear the cache to make sure we get up-to-date values tasks.clear_sssd_cache(self.master) tasks.kinit_admin(self.master) # retrieve secret after restore self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ])