Ejemplo n.º 1
0
    def __configure_instance(self):
        self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
        self.__template_file(paths.KRB5_CONF)
        self.__template_file(paths.HTML_KRB5_INI)
        self.__template_file(paths.KRB_CON)
        self.__template_file(paths.HTML_KRBREALM_CON)

        MIN_KRB5KDC_WITH_WORKERS = "1.9"
        cpus = os.sysconf('SC_NPROCESSORS_ONLN')
        workers = False
        result = ipautil.run([paths.KLIST, '-V'],
                             raiseonerr=False,
                             capture_output=True)
        if result.returncode == 0:
            verstr = result.output.split()[-1]
            ver = tasks.parse_ipa_version(verstr)
            min = tasks.parse_ipa_version(MIN_KRB5KDC_WITH_WORKERS)
            if ver >= min:
                workers = True
        # Write down config file
        # We write realm and also number of workers (for multi-CPU systems)
        replacevars = {'KRB5REALM': self.realm}
        appendvars = {}
        if workers and cpus > 1:
            appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)}
        ipautil.backup_config_and_replace_variables(
            self.fstore,
            paths.SYSCONFIG_KRB5KDC_DIR,
            replacevars=replacevars,
            appendvars=appendvars)
        tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR)
Ejemplo n.º 2
0
def check_version():
    """
    :raise UpgradePlatformError: if platform is not the same
    :raise UpgradeDataOlderVersionError: if data needs to be upgraded
    :raise UpgradeDataNewerVersionError: older version of IPA was detected than data
    :raise UpgradeMissingVersionError: if platform or version is missing
    """
    platform = sysupgrade.get_upgrade_state('ipa', 'platform')
    if platform is not None:
        if platform != ipaplatform.NAME:
            raise UpgradePlatformError(
                "platform mismatch (expected '%s', current '%s')" % (
                platform, ipaplatform.NAME)
            )
    else:
        raise UpgradeMissingVersionError("no platform stored")

    data_version = sysupgrade.get_upgrade_state('ipa', 'data_version')
    if data_version is not None:
        parsed_data_ver = tasks.parse_ipa_version(data_version)
        parsed_ipa_ver = tasks.parse_ipa_version(version.VENDOR_VERSION)
        if parsed_data_ver < parsed_ipa_ver:
            raise UpgradeDataOlderVersionError(
                "data needs to be upgraded (expected version '%s', current "
                "version '%s')" % (version.VENDOR_VERSION, data_version)
            )
        elif parsed_data_ver > parsed_ipa_ver:
            raise UpgradeDataNewerVersionError(
                "data are in newer version than IPA (data version '%s', IPA "
                "version '%s')" % (data_version, version.VENDOR_VERSION)
            )
    else:
        raise UpgradeMissingVersionError("no data_version stored")
Ejemplo n.º 3
0
    def __configure_instance(self):
        self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
        self.__template_file(paths.KRB5_CONF)
        self.__template_file(paths.HTML_KRB5_INI)
        self.__template_file(paths.KRB_CON)
        self.__template_file(paths.HTML_KRBREALM_CON)

        MIN_KRB5KDC_WITH_WORKERS = "1.9"
        cpus = os.sysconf('SC_NPROCESSORS_ONLN')
        workers = False
        result = ipautil.run(['klist', '-V'],
                             raiseonerr=False, capture_output=True)
        if result.returncode == 0:
            verstr = result.output.split()[-1]
            ver = tasks.parse_ipa_version(verstr)
            min = tasks.parse_ipa_version(MIN_KRB5KDC_WITH_WORKERS)
            if ver >= min:
                workers = True
        # Write down config file
        # We write realm and also number of workers (for multi-CPU systems)
        replacevars = {'KRB5REALM':self.realm}
        appendvars = {}
        if workers and cpus > 1:
            appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)}
        ipautil.backup_config_and_replace_variables(self.fstore, paths.SYSCONFIG_KRB5KDC_DIR,
                                                    replacevars=replacevars,
                                                    appendvars=appendvars)
        tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR)
Ejemplo n.º 4
0
def check_version():
    """
    :raise UpgradePlatformError: if platform is not the same
    :raise UpgradeDataOlderVersionError: if data needs to be upgraded
    :raise UpgradeDataNewerVersionError: older version of IPA was detected than data
    :raise UpgradeMissingVersionError: if platform or version is missing
    """
    platform = sysupgrade.get_upgrade_state('ipa', 'platform')
    if platform is not None:
        if platform != ipaplatform.NAME:
            raise UpgradePlatformError(
                "platform mismatch (expected '%s', current '%s')" % (
                platform, ipaplatform.NAME)
            )
    else:
        raise UpgradeMissingVersionError("no platform stored")

    data_version = sysupgrade.get_upgrade_state('ipa', 'data_version')
    if data_version is not None:
        parsed_data_ver = tasks.parse_ipa_version(data_version)
        parsed_ipa_ver = tasks.parse_ipa_version(version.VENDOR_VERSION)
        if parsed_data_ver < parsed_ipa_ver:
            raise UpgradeDataOlderVersionError(
                "data needs to be upgraded (expected version '%s', current "
                "version '%s')" % (version.VENDOR_VERSION, data_version)
            )
        elif parsed_data_ver > parsed_ipa_ver:
            raise UpgradeDataNewerVersionError(
                "data are in newer version than IPA (data version '%s', IPA "
                "version '%s')" % (data_version, version.VENDOR_VERSION)
            )
    else:
        raise UpgradeMissingVersionError("no data_version stored")
Ejemplo n.º 5
0
    def test_ssh_from_controller(self):
        """https://pagure.io/SSSD/sssd/issue/3979
        Test ssh from test controller after adding
        ldap_deref_threshold=0 to sssd.conf on master

        Steps:
        1. setup a master
        2. add ldap_deref_threshold=0 to sssd.conf on master
        3. add an ipa user
        4. ssh from controller to master using the user created in step 3
        """
        if self.master.is_fips_mode:  # pylint: disable=no-member
            pytest.skip("paramiko is not compatible with FIPS mode")

        cmd = self.master.run_command(['sssd', '--version'])
        sssd_version = platform_tasks.parse_ipa_version(
            cmd.stdout_text.strip())
        if sssd_version < platform_tasks.parse_ipa_version('2.2.0'):
            pytest.xfail(reason="sssd 2.2.0 unavailable in F29 nightly")

        username = "******" + str(random.randint(200000, 9999999))
        # add ldap_deref_threshold=0 to /etc/sssd/sssd.conf
        sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF)
        with tasks.remote_sssd_config(self.master) as sssd_config:
            sssd_config.edit_domain(
                self.master.domain, 'ldap_deref_threshold', 0)
        try:
            self.master.run_command(['systemctl', 'restart', 'sssd.service'])

            # kinit admin
            tasks.kinit_admin(self.master)

            # add ipa user
            cmd = ['ipa', 'user-add',
                   '--first', username,
                   '--last', username,
                   '--password', username]
            input_passwd = 'Secret123\nSecret123\n'
            cmd_output = self.master.run_command(cmd, stdin_text=input_passwd)
            assert 'Added user "%s"' % username in cmd_output.stdout_text
            input_passwd = 'Secret123\nSecret123\nSecret123\n'
            self.master.run_command(['kinit', username],
                                    stdin_text=input_passwd)

            client = paramiko.SSHClient()
            client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
            client.connect(self.master.hostname,
                           username=username,
                           password='******')
            client.close()
        finally:
            sssd_conf_backup.restore()
            self.master.run_command(['systemctl', 'restart', 'sssd.service'])
Ejemplo n.º 6
0
    def test_versions(self, versions):
        version_string1, version_string2, expected_comparison = versions

        ver1 = tasks.parse_ipa_version(version_string1)
        ver2 = tasks.parse_ipa_version(version_string2)

        if expected_comparison == "newer":
            assert ver1 > ver2
        elif expected_comparison == "older":
            assert ver1 < ver2
        elif expected_comparison == "equal":
            assert ver1 == ver2
        else:
            raise TypeError(
                "Unexpected comparison string: {}".format(expected_comparison))
Ejemplo n.º 7
0
    def test_versions(self, versions):
        version_string1, version_string2, expected_comparison = versions

        ver1 = tasks.parse_ipa_version(version_string1)
        ver2 = tasks.parse_ipa_version(version_string2)

        if expected_comparison == "newer":
            assert ver1 > ver2
        elif expected_comparison == "older":
            assert ver1 < ver2
        elif expected_comparison == "equal":
            assert ver1 == ver2
        else:
            raise TypeError(
                "Unexpected comparison string: {}".format(expected_comparison)
            )
Ejemplo n.º 8
0
    def test_ext_grp_with_ldap(self):
        """User and group with same name should not break reading AD user data.

        Regression test for https://pagure.io/SSSD/sssd/issue/4073

        When aduser is added in extrnal group and this group is added
        in group with same name of nonprivate ipa user and possix id, then
        lookup of aduser and group should be successful when cache is empty.
        """
        cmd = self.master.run_command(['sssd', '--version'])
        sssd_version = platform_tasks.parse_ipa_version(
            cmd.stdout_text.strip())
        if sssd_version <= platform_tasks.parse_ipa_version('2.2.2'):
            pytest.skip("Fix for https://pagure.io/SSSD/sssd/issue/4073 "
                        "unavailable with sssd-2.2.2")
        client = self.clients[0]
        user = '******'
        userid = '100996'
        ext_group = 'ext-ipatest'
        tasks.kinit_admin(self.master)
        # add user with same uid and gidnumber
        tasks.user_add(
            self.master,
            user,
            extra_args=['--noprivate', '--uid', userid, '--gidnumber', userid])
        # add group with same as user_name and user_id.
        tasks.group_add(self.master, user, extra_args=['--gid', userid])
        tasks.group_add(self.master, ext_group, extra_args=['--external'])
        self.master.run_command(
            ['ipa', 'group-add-member', '--group', ext_group, user])
        self.master.run_command([
            'ipa', '-n', 'group-add-member', '--external',
            self.users['ad']['name'], ext_group
        ])
        tasks.clear_sssd_cache(self.master)
        tasks.clear_sssd_cache(client)
        try:
            result = client.run_command(['id', self.users['ad']['name']])
            assert '{uid}({name})'.format(uid=userid,
                                          name=user) in result.stdout_text
        finally:
            self.master.run_command(['ipa', 'user-del', user])
            self.master.run_command(['ipa', 'group-del', user, ext_group])
Ejemplo n.º 9
0
 def _is_newer_tomcat_version(self, default=None):
     try:
         result = ipautil.run([paths.BIN_TOMCAT, "version"],
                              capture_output=True)
         sn = re.search(
             r'Server number:\s+([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)',
             result.output)
         if sn is None:
             logger.info(
                 "tomcat version cannot be parsed, "
                 "default to pre-%s", default)
             return False
         v = tasks.parse_ipa_version(sn.group(1))
         if v >= tasks.parse_ipa_version(default):
             return True
     except ipautil.CalledProcessError as e:
         logger.info(
             "failed to discover tomcat version, "
             "default to pre-%s, error: %s", default, str(e))
     return False
Ejemplo n.º 10
0
def test_ipa_version():
    v3 = tasks.parse_ipa_version('3.0')
    assert v3.version == u'3.0'
    if hasattr(v3, '_rpmvercmp'):
        assert v3._rpmvercmp_func is None
        v3._rpmvercmp(b'1', b'2')
        assert v3._rpmvercmp_func is not None

    v4 = tasks.parse_ipa_version('4.0')
    assert v4.version == u'4.0'
    if hasattr(v4, '_rpmvercmp'):
        assert v4._rpmvercmp_func is not None

    assert v3 < v4
    assert v3 <= v4
    assert v3 <= v3
    assert v3 != v4
    assert v3 == v3
    assert not v3 == v4
    assert v4 > v3
    assert v4 >= v3
Ejemplo n.º 11
0
def test_ipa_version():
    v3 = tasks.parse_ipa_version('3.0')
    assert v3.version == u'3.0'
    if hasattr(v3, '_rpmvercmp'):
        assert v3._rpmvercmp_func is None
        v3._rpmvercmp(b'1', b'2')
        assert v3._rpmvercmp_func is not None

    v4 = tasks.parse_ipa_version('4.0')
    assert v4.version == u'4.0'
    if hasattr(v4, '_rpmvercmp'):
        assert v4._rpmvercmp_func is not None

    # pylint: disable=comparison-with-itself
    assert v3 < v4
    assert v3 <= v4
    assert v3 <= v3
    assert v3 != v4
    assert v3 == v3
    assert not v3 == v4
    assert v4 > v3
    assert v4 >= v3
Ejemplo n.º 12
0
def test_ipa_version():
    v3 = tasks.parse_ipa_version('3.0')
    assert v3.version == u'3.0'
    if hasattr(v3, '_rpmvercmp'):
        assert v3._rpmvercmp_func is None
        v3._rpmvercmp(b'1', b'2')
        assert v3._rpmvercmp_func is not None

    v4 = tasks.parse_ipa_version('4.0')
    assert v4.version == u'4.0'
    if hasattr(v4, '_rpmvercmp'):
        assert v4._rpmvercmp_func is not None

    # pylint: disable=comparison-with-itself
    assert v3 < v4
    assert v3 <= v4
    assert v3 <= v3
    assert v3 != v4
    assert v3 == v3
    assert not v3 == v4
    assert v4 > v3
    assert v4 >= v3
Ejemplo n.º 13
0
    def test_chain_of_trust_delv(self):
        """
        Validate signed DNS records, using our own signed root zone
        """
        INITIAL_KEY_FMT = '%s initial-key %d %d %d "%s";'

        # delv reports its version on stderr
        delv_version = self.master.run_command(
            ["delv", "-v"]).stderr_text.rstrip().replace("delv ", "")
        assert delv_version

        delv_version_parsed = platform_tasks.parse_ipa_version(delv_version)
        if delv_version_parsed < platform_tasks.parse_ipa_version("9.16"):
            pytest.skip(
                f"Requires delv >= 9.16(+yaml), installed: '{delv_version}'")

        # extract DSKEY from root zone
        ans = resolve_with_dnssec(self.master.ip, root_zone, rtype="DNSKEY")
        dnskey_rrset = ans.response.get_rrset(
            ans.response.answer,
            dns.name.from_text(root_zone),
            dns.rdataclass.IN,
            dns.rdatatype.DNSKEY,
        )
        assert dnskey_rrset, "No DNSKEY records received"

        # export trust keys for root zone
        initial_keys = []
        for key_rdata in dnskey_rrset:
            if key_rdata.flags != 257:
                continue  # it is not KSK

            initial_keys.append(INITIAL_KEY_FMT % (
                root_zone,
                key_rdata.flags,
                key_rdata.protocol,
                key_rdata.algorithm,
                base64.b64encode(key_rdata.key).decode("utf-8"),
            ))

        assert initial_keys, "No KSK returned from the root zone"

        trust_anchors = textwrap.dedent("""\
            trust-anchors {{
            {initial_key}
            }};
            """).format(initial_key="\n".join(initial_keys))
        logger.debug("Root zone trust-anchors: %s", trust_anchors)

        # set trusted anchor for our root zone
        for host in [self.master, self.replicas[0]]:
            host.put_file_contents(paths.DNSSEC_TRUSTED_KEY, trust_anchors)

        # verify signatures
        args = [
            "delv",
            "+yaml",
            "+nosplit",
            "+vtrace",
            "@127.0.0.1",
            example_test_zone,
            "-a",
            paths.DNSSEC_TRUSTED_KEY,
            "SOA",
        ]

        # delv puts trace info on stderr
        for host in [self.master, self.replicas[0]]:
            result = host.run_command(args)
            yaml_data = yaml.safe_load(result.stdout_text)

            query_name_abs = dns.name.from_text(example_test_zone)
            root_zone_name = dns.name.from_text(root_zone)
            query_name_rel = query_name_abs.relativize(
                root_zone_name).to_text()
            assert yaml_data["query_name"] == query_name_rel
            assert yaml_data["status"] == "success"

            assert len(yaml_data["records"]) == 1
            fully_validated = yaml_data["records"][0]["fully_validated"]
            fully_validated.sort()
            assert len(fully_validated) == 2
            assert f"{example_test_zone} 1 IN RRSIG SOA" in fully_validated[0]
            assert f"{example_test_zone} 1 IN SOA" in fully_validated[1]