def __configure_instance(self):
self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
self.__template_file(paths.KRB5_CONF)
self.__template_file(paths.HTML_KRB5_INI)
self.__template_file(paths.KRB_CON)
self.__template_file(paths.HTML_KRBREALM_CON)
MIN_KRB5KDC_WITH_WORKERS = "1.9"
cpus = os.sysconf('SC_NPROCESSORS_ONLN')
workers = False
result = ipautil.run([paths.KLIST, '-V'],
raiseonerr=False,
capture_output=True)
if result.returncode == 0:
verstr = result.output.split()[-1]
ver = tasks.parse_ipa_version(verstr)
min = tasks.parse_ipa_version(MIN_KRB5KDC_WITH_WORKERS)
if ver >= min:
workers = True
# Write down config file
# We write realm and also number of workers (for multi-CPU systems)
replacevars = {'KRB5REALM': self.realm}
appendvars = {}
if workers and cpus > 1:
appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)}
ipautil.backup_config_and_replace_variables(
self.fstore,
paths.SYSCONFIG_KRB5KDC_DIR,
replacevars=replacevars,
appendvars=appendvars)
tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR)
def check_version():
"""
:raise UpgradePlatformError: if platform is not the same
:raise UpgradeDataOlderVersionError: if data needs to be upgraded
:raise UpgradeDataNewerVersionError: older version of IPA was detected than data
:raise UpgradeMissingVersionError: if platform or version is missing
"""
platform = sysupgrade.get_upgrade_state('ipa', 'platform')
if platform is not None:
if platform != ipaplatform.NAME:
raise UpgradePlatformError(
"platform mismatch (expected '%s', current '%s')" % (
platform, ipaplatform.NAME)
)
else:
raise UpgradeMissingVersionError("no platform stored")
data_version = sysupgrade.get_upgrade_state('ipa', 'data_version')
if data_version is not None:
parsed_data_ver = tasks.parse_ipa_version(data_version)
parsed_ipa_ver = tasks.parse_ipa_version(version.VENDOR_VERSION)
if parsed_data_ver < parsed_ipa_ver:
raise UpgradeDataOlderVersionError(
"data needs to be upgraded (expected version '%s', current "
"version '%s')" % (version.VENDOR_VERSION, data_version)
)
elif parsed_data_ver > parsed_ipa_ver:
raise UpgradeDataNewerVersionError(
"data are in newer version than IPA (data version '%s', IPA "
"version '%s')" % (data_version, version.VENDOR_VERSION)
)
else:
raise UpgradeMissingVersionError("no data_version stored")
def __configure_instance(self):
self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
self.__template_file(paths.KRB5_CONF)
self.__template_file(paths.HTML_KRB5_INI)
self.__template_file(paths.KRB_CON)
self.__template_file(paths.HTML_KRBREALM_CON)
MIN_KRB5KDC_WITH_WORKERS = "1.9"
cpus = os.sysconf('SC_NPROCESSORS_ONLN')
workers = False
result = ipautil.run(['klist', '-V'],
raiseonerr=False, capture_output=True)
if result.returncode == 0:
verstr = result.output.split()[-1]
ver = tasks.parse_ipa_version(verstr)
min = tasks.parse_ipa_version(MIN_KRB5KDC_WITH_WORKERS)
if ver >= min:
workers = True
# Write down config file
# We write realm and also number of workers (for multi-CPU systems)
replacevars = {'KRB5REALM':self.realm}
appendvars = {}
if workers and cpus > 1:
appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)}
ipautil.backup_config_and_replace_variables(self.fstore, paths.SYSCONFIG_KRB5KDC_DIR,
replacevars=replacevars,
appendvars=appendvars)
tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR)
def check_version():
"""
:raise UpgradePlatformError: if platform is not the same
:raise UpgradeDataOlderVersionError: if data needs to be upgraded
:raise UpgradeDataNewerVersionError: older version of IPA was detected than data
:raise UpgradeMissingVersionError: if platform or version is missing
"""
platform = sysupgrade.get_upgrade_state('ipa', 'platform')
if platform is not None:
if platform != ipaplatform.NAME:
raise UpgradePlatformError(
"platform mismatch (expected '%s', current '%s')" % (
platform, ipaplatform.NAME)
)
else:
raise UpgradeMissingVersionError("no platform stored")
data_version = sysupgrade.get_upgrade_state('ipa', 'data_version')
if data_version is not None:
parsed_data_ver = tasks.parse_ipa_version(data_version)
parsed_ipa_ver = tasks.parse_ipa_version(version.VENDOR_VERSION)
if parsed_data_ver < parsed_ipa_ver:
raise UpgradeDataOlderVersionError(
"data needs to be upgraded (expected version '%s', current "
"version '%s')" % (version.VENDOR_VERSION, data_version)
)
elif parsed_data_ver > parsed_ipa_ver:
raise UpgradeDataNewerVersionError(
"data are in newer version than IPA (data version '%s', IPA "
"version '%s')" % (data_version, version.VENDOR_VERSION)
)
else:
raise UpgradeMissingVersionError("no data_version stored")
def test_ssh_from_controller(self):
"""https://pagure.io/SSSD/sssd/issue/3979
Test ssh from test controller after adding
ldap_deref_threshold=0 to sssd.conf on master
Steps:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
"""
if self.master.is_fips_mode: # pylint: disable=no-member
pytest.skip("paramiko is not compatible with FIPS mode")
cmd = self.master.run_command(['sssd', '--version'])
sssd_version = platform_tasks.parse_ipa_version(
cmd.stdout_text.strip())
if sssd_version < platform_tasks.parse_ipa_version('2.2.0'):
pytest.xfail(reason="sssd 2.2.0 unavailable in F29 nightly")
username = "******" + str(random.randint(200000, 9999999))
# add ldap_deref_threshold=0 to /etc/sssd/sssd.conf
sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
with tasks.remote_sssd_config(self.master) as sssd_config:
sssd_config.edit_domain(
self.master.domain, 'ldap_deref_threshold', 0)
try:
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
# kinit admin
tasks.kinit_admin(self.master)
# add ipa user
cmd = ['ipa', 'user-add',
'--first', username,
'--last', username,
'--password', username]
input_passwd = 'Secret123\nSecret123\n'
cmd_output = self.master.run_command(cmd, stdin_text=input_passwd)
assert 'Added user "%s"' % username in cmd_output.stdout_text
input_passwd = 'Secret123\nSecret123\nSecret123\n'
self.master.run_command(['kinit', username],
stdin_text=input_passwd)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(self.master.hostname,
username=username,
password='******')
client.close()
finally:
sssd_conf_backup.restore()
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
def test_versions(self, versions):
version_string1, version_string2, expected_comparison = versions
ver1 = tasks.parse_ipa_version(version_string1)
ver2 = tasks.parse_ipa_version(version_string2)
if expected_comparison == "newer":
assert ver1 > ver2
elif expected_comparison == "older":
assert ver1 < ver2
elif expected_comparison == "equal":
assert ver1 == ver2
else:
raise TypeError(
"Unexpected comparison string: {}".format(expected_comparison))
def test_versions(self, versions):
version_string1, version_string2, expected_comparison = versions
ver1 = tasks.parse_ipa_version(version_string1)
ver2 = tasks.parse_ipa_version(version_string2)
if expected_comparison == "newer":
assert ver1 > ver2
elif expected_comparison == "older":
assert ver1 < ver2
elif expected_comparison == "equal":
assert ver1 == ver2
else:
raise TypeError(
"Unexpected comparison string: {}".format(expected_comparison)
)
def test_ext_grp_with_ldap(self):
"""User and group with same name should not break reading AD user data.
Regression test for https://pagure.io/SSSD/sssd/issue/4073
When aduser is added in extrnal group and this group is added
in group with same name of nonprivate ipa user and possix id, then
lookup of aduser and group should be successful when cache is empty.
"""
cmd = self.master.run_command(['sssd', '--version'])
sssd_version = platform_tasks.parse_ipa_version(
cmd.stdout_text.strip())
if sssd_version <= platform_tasks.parse_ipa_version('2.2.2'):
pytest.skip("Fix for https://pagure.io/SSSD/sssd/issue/4073 "
"unavailable with sssd-2.2.2")
client = self.clients[0]
user = '******'
userid = '100996'
ext_group = 'ext-ipatest'
tasks.kinit_admin(self.master)
# add user with same uid and gidnumber
tasks.user_add(
self.master,
user,
extra_args=['--noprivate', '--uid', userid, '--gidnumber', userid])
# add group with same as user_name and user_id.
tasks.group_add(self.master, user, extra_args=['--gid', userid])
tasks.group_add(self.master, ext_group, extra_args=['--external'])
self.master.run_command(
['ipa', 'group-add-member', '--group', ext_group, user])
self.master.run_command([
'ipa', '-n', 'group-add-member', '--external',
self.users['ad']['name'], ext_group
])
tasks.clear_sssd_cache(self.master)
tasks.clear_sssd_cache(client)
try:
result = client.run_command(['id', self.users['ad']['name']])
assert '{uid}({name})'.format(uid=userid,
name=user) in result.stdout_text
finally:
self.master.run_command(['ipa', 'user-del', user])
self.master.run_command(['ipa', 'group-del', user, ext_group])
def _is_newer_tomcat_version(self, default=None):
try:
result = ipautil.run([paths.BIN_TOMCAT, "version"],
capture_output=True)
sn = re.search(
r'Server number:\s+([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)',
result.output)
if sn is None:
logger.info(
"tomcat version cannot be parsed, "
"default to pre-%s", default)
return False
v = tasks.parse_ipa_version(sn.group(1))
if v >= tasks.parse_ipa_version(default):
return True
except ipautil.CalledProcessError as e:
logger.info(
"failed to discover tomcat version, "
"default to pre-%s, error: %s", default, str(e))
return False
def test_ipa_version():
v3 = tasks.parse_ipa_version('3.0')
assert v3.version == u'3.0'
if hasattr(v3, '_rpmvercmp'):
assert v3._rpmvercmp_func is None
v3._rpmvercmp(b'1', b'2')
assert v3._rpmvercmp_func is not None
v4 = tasks.parse_ipa_version('4.0')
assert v4.version == u'4.0'
if hasattr(v4, '_rpmvercmp'):
assert v4._rpmvercmp_func is not None
assert v3 < v4
assert v3 <= v4
assert v3 <= v3
assert v3 != v4
assert v3 == v3
assert not v3 == v4
assert v4 > v3
assert v4 >= v3
def test_ipa_version():
v3 = tasks.parse_ipa_version('3.0')
assert v3.version == u'3.0'
if hasattr(v3, '_rpmvercmp'):
assert v3._rpmvercmp_func is None
v3._rpmvercmp(b'1', b'2')
assert v3._rpmvercmp_func is not None
v4 = tasks.parse_ipa_version('4.0')
assert v4.version == u'4.0'
if hasattr(v4, '_rpmvercmp'):
assert v4._rpmvercmp_func is not None
# pylint: disable=comparison-with-itself
assert v3 < v4
assert v3 <= v4
assert v3 <= v3
assert v3 != v4
assert v3 == v3
assert not v3 == v4
assert v4 > v3
assert v4 >= v3
def test_ipa_version():
v3 = tasks.parse_ipa_version('3.0')
assert v3.version == u'3.0'
if hasattr(v3, '_rpmvercmp'):
assert v3._rpmvercmp_func is None
v3._rpmvercmp(b'1', b'2')
assert v3._rpmvercmp_func is not None
v4 = tasks.parse_ipa_version('4.0')
assert v4.version == u'4.0'
if hasattr(v4, '_rpmvercmp'):
assert v4._rpmvercmp_func is not None
# pylint: disable=comparison-with-itself
assert v3 < v4
assert v3 <= v4
assert v3 <= v3
assert v3 != v4
assert v3 == v3
assert not v3 == v4
assert v4 > v3
assert v4 >= v3
def test_chain_of_trust_delv(self):
"""
Validate signed DNS records, using our own signed root zone
"""
INITIAL_KEY_FMT = '%s initial-key %d %d %d "%s";'
# delv reports its version on stderr
delv_version = self.master.run_command(
["delv", "-v"]).stderr_text.rstrip().replace("delv ", "")
assert delv_version
delv_version_parsed = platform_tasks.parse_ipa_version(delv_version)
if delv_version_parsed < platform_tasks.parse_ipa_version("9.16"):
pytest.skip(
f"Requires delv >= 9.16(+yaml), installed: '{delv_version}'")
# extract DSKEY from root zone
ans = resolve_with_dnssec(self.master.ip, root_zone, rtype="DNSKEY")
dnskey_rrset = ans.response.get_rrset(
ans.response.answer,
dns.name.from_text(root_zone),
dns.rdataclass.IN,
dns.rdatatype.DNSKEY,
)
assert dnskey_rrset, "No DNSKEY records received"
# export trust keys for root zone
initial_keys = []
for key_rdata in dnskey_rrset:
if key_rdata.flags != 257:
continue # it is not KSK
initial_keys.append(INITIAL_KEY_FMT % (
root_zone,
key_rdata.flags,
key_rdata.protocol,
key_rdata.algorithm,
base64.b64encode(key_rdata.key).decode("utf-8"),
))
assert initial_keys, "No KSK returned from the root zone"
trust_anchors = textwrap.dedent("""\
trust-anchors {{
{initial_key}
}};
""").format(initial_key="\n".join(initial_keys))
logger.debug("Root zone trust-anchors: %s", trust_anchors)
# set trusted anchor for our root zone
for host in [self.master, self.replicas[0]]:
host.put_file_contents(paths.DNSSEC_TRUSTED_KEY, trust_anchors)
# verify signatures
args = [
"delv",
"+yaml",
"+nosplit",
"+vtrace",
"@127.0.0.1",
example_test_zone,
"-a",
paths.DNSSEC_TRUSTED_KEY,
"SOA",
]
# delv puts trace info on stderr
for host in [self.master, self.replicas[0]]:
result = host.run_command(args)
yaml_data = yaml.safe_load(result.stdout_text)
query_name_abs = dns.name.from_text(example_test_zone)
root_zone_name = dns.name.from_text(root_zone)
query_name_rel = query_name_abs.relativize(
root_zone_name).to_text()
assert yaml_data["query_name"] == query_name_rel
assert yaml_data["status"] == "success"
assert len(yaml_data["records"]) == 1
fully_validated = yaml_data["records"][0]["fully_validated"]
fully_validated.sort()
assert len(fully_validated) == 2
assert f"{example_test_zone} 1 IN RRSIG SOA" in fully_validated[0]
assert f"{example_test_zone} 1 IN SOA" in fully_validated[1]