def test_rolecheck_KRA(self):
"""ipa-backup rolecheck: add a KRA.
"""
# install CA on replica.
tasks.install_ca(self.replicas[0])
# master and replicas[0] have matching roles now.
assert self._ipa_replica_role_check(
self.replicas[0].hostname, self.serverroles['CA']
)
self._check_rolecheck_backup_success(self.master)
self._check_rolecheck_backup_success(self.replicas[0])
# install KRA on replica
tasks.install_kra(self.replicas[0], first_instance=True)
assert self._ipa_replica_role_check(
self.replicas[0].hostname, self.serverroles['KRA']
)
self._check_rolecheck_backup_success(self.replicas[0])
self._check_rolecheck_backup_failure(self.master)
# install KRA on master
tasks.install_kra(self.master)
# master and replicas[0] have matching roles now.
assert self._ipa_replica_role_check(
self.master.hostname, self.serverroles['KRA']
)
self._check_rolecheck_backup_success(self.replicas[0])
self._check_rolecheck_backup_success(self.master)
def test_replica_ca_install_with_skip_schema_check(self):
"""
Test for ipa-ca-install --skip-schema-check on a replica
"""
tasks.install_replica(self.master, self.replicas[1], setup_ca=False)
tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"])
def test_caless_to_cafull_replica(self, test_setup_teardown):
"""Test ACME is enabled on CA-less replica when converted to CA-full
Deployment where one server is deployed as CA-less, when converted
to CA full, should have ACME enabled by default.
related: https://pagure.io/freeipa/issue/8524
"""
tasks.kinit_admin(self.master)
# enable acme on master
self.master.run_command(['ipa-acme-manage', 'enable'])
# check status of acme server on master
status = check_acme_status(self.master, 'enabled')
assert status == 'enabled'
tasks.kinit_admin(self.replicas[0])
# check status of acme on replica, result: CA is not installed
result = self.replicas[0].run_command(['ipa-acme-manage', 'status'],
raiseonerr=False)
assert result.returncode == 3
# Install CA on replica
tasks.install_ca(self.replicas[0])
# check acme status, should be enabled now
status = check_acme_status(self.replicas[0], 'enabled')
assert status == 'enabled'
# disable acme on replica
self.replicas[0].run_command(['ipa-acme-manage', 'disable'])
# check acme status on master, should be disabled
status = check_acme_status(self.master, 'disabled')
assert status == 'disabled'
def test_replica_ca_install_with_no_host_dns(self):
"""
Test for ipa-ca-install --no-host-dns on a replica
"""
tasks.install_replica(self.master, self.replicas[0], setup_ca=False)
tasks.install_ca(self.replicas[0], extra_args=["--no-host-dns"])
def test_crlgen_enable_on_ca_replica(self):
"""Test crlgen enable on a replica with CA
Install a CA clone and enable CRLgen"""
tasks.install_ca(self.replicas[0])
check_crlgen_enable(
self.replicas[0], rc=0,
msg="make sure to have only a single CRL generation master",
check_crl=True)
def test_enable_caless_to_cafull_replica(self, test_setup_teardown):
"""Test ACME with CA-less replica when converted to CA-full
Deployment have one ca-less replica and ACME is not enabled.
After converting ca-less replica to ca-full, ACME can be
enabled or disabled.
related: https://pagure.io/freeipa/issue/8524
"""
tasks.kinit_admin(self.master)
# check status of acme server on master
status = check_acme_status(self.master, 'disabled')
assert status == 'disabled'
tasks.kinit_admin(self.replicas[0])
# check status of acme on replica, result: CA is not installed
result = self.replicas[0].run_command(['ipa-acme-manage', 'status'],
raiseonerr=False)
assert result.returncode == 3
# Install CA on replica
tasks.install_ca(self.replicas[0])
# check acme status on replica, should not throw error
status = check_acme_status(self.replicas[0], 'disabled')
assert status == 'disabled'
# enable acme on replica
self.replicas[0].run_command(['ipa-acme-manage', 'enable'])
# check acme status on master
status = check_acme_status(self.master, 'enabled')
assert status == 'enabled'
# check acme status on replica
status = check_acme_status(self.replicas[0], 'enabled')
assert status == 'enabled'
# disable acme on master
self.master.run_command(['ipa-acme-manage', 'disable'])
# check acme status on replica, should be disabled
status = check_acme_status(self.replicas[0], 'disabled')
assert status == 'disabled'
def test_replica_install_against_server_without_kra(self):
"""Replica install will fail complaining about KRA role
and exit code 4"""
# install ca on replica1
tasks.install_ca(self.replicas[0])
try:
# install replica2 against replica1, as KRA is not installed on
# replica1(CA installed), installation should fail on replica2
cmd = tasks.install_replica(self.replicas[0], self.replicas[1],
promote=False, setup_kra=True,
raiseonerr=False)
assert cmd.returncode == 4
error = "please provide a server with the KRA role"
assert error in cmd.stderr_text
finally:
tasks.uninstall_master(self.replicas[1],
ignore_topology_disconnect=True,
ignore_last_of_role=True)
def test_ca_install_without_replica_file(self):
"""
TestCase:
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#Test_case:
_ipa-ca-install_with_replica_file_works_only_on_domain_level_0
"""
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
for replica in self.replicas:
tasks.install_replica(master,
replica,
setup_ca=False,
setup_dns=True)
result1 = tasks.install_ca(replica1,
domain_level=DOMAIN_LEVEL_1,
raiseonerr=False)
assert_error(
result1, "If you wish to replicate CA to this host,"
" please re-run 'ipa-ca-install'\nwith a"
" replica file generated on an existing CA"
" master as argument.", 1)
tasks.install_ca(replica1, domain_level=DOMAIN_LEVEL_0)
# Now prepare the replica file, copy it to the client and raise
# domain level on master to test the reverse situation
master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)])
result2 = tasks.install_ca(replica2,
domain_level=DOMAIN_LEVEL_0,
raiseonerr=False)
assert_error(
result2, 'Too many parameters provided.'
' No replica file is required', 1)
tasks.install_ca(replica2, domain_level=DOMAIN_LEVEL_1)
def test_full_backup_and_restore_with_replica(self, cert_sign_request):
# check prerequisites
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
self.master.run_command(
['ipa', 'service-add', 'TEST/' + self.master.hostname])
tasks.user_add(self.master, 'test1_master')
tasks.user_add(self.replica1, 'test1_replica')
with restore_checker(self.master):
backup_path = tasks.get_backup_dir(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', 'test1_master'])
self.replica1.run_command(['ipa', 'user-del', 'test1_replica'])
tasks.user_add(self.master, 'test2_master')
tasks.user_add(self.replica1, 'test2_replica')
# simulate master crash
self.master.run_command(['ipactl', 'stop'])
tasks.uninstall_master(self.master, clean=False)
logger.info("Stopping and disabling oddjobd service")
self.master.run_command([
"systemctl", "stop", "oddjobd"
])
self.master.run_command([
"systemctl", "disable", "oddjobd"
])
self.master.run_command(['ipa-restore', '-U', backup_path])
status = self.master.run_command([
"systemctl", "status", "oddjobd"
])
assert "active (running)" in status.stdout_text
# replication should not work after restoration
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test3_master')
tasks.user_add(self.replica1, 'test3_replica')
self.check_replication_error(self.master)
self.check_replication_error(self.replica1)
assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \
self.get_users(self.master)
assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \
self.get_users(self.replica1)
# reestablish and check replication
self.replica1.run_command(['ipa-replica-manage', 're-initialize',
'--from', self.master.hostname])
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test4_master')
tasks.user_add(self.replica1, 'test4_replica')
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.master)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.replica1)
# CA on master should be accesible from master and replica
self.request_test_service_cert(
self.master, cert_sign_request[self.master.hostname])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
# replica should not be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname],
expect_connection_error=True)
finally:
self.master.run_command(['ipactl', 'start'])
tasks.install_ca(self.replica1)
# now replica should be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
self.master.run_command(['ipactl', 'start'])
# check installation of new replica
tasks.install_replica(self.master, self.replica2, setup_ca=True)
check_replication(self.master, self.replica2, "testuser")
# new replica should be able to sign certificates without CA on master
# and old replica
self.master.run_command(['ipactl', 'stop'])
self.replica1.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica2, cert_sign_request[self.replica2.hostname])
finally:
self.replica1.run_command(['ipactl', 'start'])
self.master.run_command(['ipactl', 'start'])
def test_replica0_ipa_ca_install(self):
tasks.install_ca(self.replicas[0])
def test_replica0_ipa_ca_install(self):
tasks.install_ca(self.replicas[0])
def test_full_backup_and_restore_with_replica(self, cert_sign_request):
# check prerequisites
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
self.master.run_command(
['ipa', 'service-add', 'TEST/' + self.master.hostname])
tasks.user_add(self.master, 'test1_master')
tasks.user_add(self.replica1, 'test1_replica')
with restore_checker(self.master):
backup_path = backup(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', 'test1_master'])
self.replica1.run_command(['ipa', 'user-del', 'test1_replica'])
tasks.user_add(self.master, 'test2_master')
tasks.user_add(self.replica1, 'test2_replica')
# simulate master crash
self.master.run_command(['ipactl', 'stop'])
tasks.uninstall_master(self.master, clean=False)
logger.info("Stopping and disabling oddjobd service")
self.master.run_command([
"systemctl", "stop", "oddjobd"
])
self.master.run_command([
"systemctl", "disable", "oddjobd"
])
self.master.run_command(['ipa-restore', '-U', backup_path])
status = self.master.run_command([
"systemctl", "status", "oddjobd"
])
assert "active (running)" in status.stdout_text
# replication should not work after restoration
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test3_master')
tasks.user_add(self.replica1, 'test3_replica')
self.check_replication_error(self.master)
self.check_replication_error(self.replica1)
assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \
self.get_users(self.master)
assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \
self.get_users(self.replica1)
# reestablish and check replication
self.replica1.run_command(['ipa-replica-manage', 're-initialize',
'--from', self.master.hostname])
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test4_master')
tasks.user_add(self.replica1, 'test4_replica')
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.master)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.replica1)
# CA on master should be accesible from master and replica
self.request_test_service_cert(
self.master, cert_sign_request[self.master.hostname])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
# replica should not be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname],
expect_connection_error=True)
finally:
self.master.run_command(['ipactl', 'start'])
tasks.install_ca(self.replica1)
# now replica should be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
self.master.run_command(['ipactl', 'start'])
# check installation of new replica
tasks.install_replica(self.master, self.replica2, setup_ca=True)
check_replication(self.master, self.replica2, "testuser")
# new replica should be able to sign certificates without CA on master
# and old replica
self.master.run_command(['ipactl', 'stop'])
self.replica1.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica2, cert_sign_request[self.replica2.hostname])
finally:
self.replica1.run_command(['ipactl', 'start'])
self.master.run_command(['ipactl', 'start'])
