def check_master_removal(host, hostname_to_remove, force=False, ignore_topology_disconnect=False, ignore_last_of_role=False): result = tasks.run_server_del( host, hostname_to_remove, force=force, ignore_topology_disconnect=ignore_topology_disconnect, ignore_last_of_role=ignore_last_of_role) assert result.returncode == 0 if force: assert ("Forcing removal of {hostname}".format( hostname=hostname_to_remove) in result.stderr_text) if ignore_topology_disconnect: assert "Ignoring topology connectivity errors." in result.stderr_text if ignore_last_of_role: assert ("Ignoring these warnings and proceeding with removal" in result.stderr_text) tasks.assert_error( host.run_command( ['ipa', 'server-show', hostname_to_remove], raiseonerr=False ), "{}: server not found".format(hostname_to_remove), returncode=2 )
def test_removal_of_master_raises_error_about_dnssec(self): tasks.assert_error( tasks.run_server_del(self.replicas[0], self.master.hostname), "Replica is active DNSSEC key master. Uninstall " "could break your DNS system. Please disable or replace " "DNSSEC key master first.", 1 )
def test_removal_of_master_raises_error_about_last_ca(self): """ test that removal of master fails on the last """ tasks.assert_error( tasks.run_server_del(self.replicas[0], self.master.hostname), "Deleting this server is not allowed as it would leave your " "installation without a CA.", 1 )
def test_removal_of_master_raises_error_about_last_dns(self): """ Now server-del should complain about the removal of last DNS server """ tasks.assert_error( tasks.run_server_del(self.replicas[0], self.master.hostname), "Deleting this server will leave your installation " "without a DNS.", 1 )
def test_removal_of_nonexistent_master_raises_error(self): """ tests that removal of non-existent master raises an error """ hostname = u'bogus-master.bogus.domain' err_message = "{}: server not found".format(hostname) tasks.assert_error( tasks.run_server_del(self.client, hostname), err_message, returncode=2 )
def test_replica_uninstallation_prohibited(self): """ http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan #Test_case:_Prohibit_ipa_server_uninstallation_from_disconnecting _topology_segment """ result = self.replicas[0].run_command( ['ipa-server-install', '--uninstall', '-U'], raiseonerr=False) assert_error( result, "Removal of '%s' leads to disconnected" " topology" % self.replicas[0].hostname, 1) self.replicas[0].run_command([ 'ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect' ]) Firewall(self.replicas[0]).disable_services( ["freeipa-ldap", "freeipa-ldaps"])
def test_promotion_disabled(self): """ Testcase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#Test_case: _Make_sure_the_feature_is_unavailable_under_domain_level_0 """ client = self.replicas[0] tasks.install_client(self.master, client) args = [ 'ipa-replica-install', '-U', '-p', self.master.config.dirman_password, '-w', self.master.config.admin_password, '--ip-address', client.ip ] result = client.run_command(args, raiseonerr=False) assert_error( result, 'You must provide a file generated by ipa-replica-prepare' ' to create a replica when the domain is at level 0', 1)
def test_wrong_client_domain(self): client = self.replicas[0] client.run_command([ 'ipa-client-install', '-U', '--domain', self.domain_name, '--realm', self.master.domain.realm, '-p', 'admin', '-w', self.master.config.admin_password, '--server', self.master.hostname, '--force-join' ]) result = client.run_command([ 'ipa-replica-install', '-U', '-w', self.master.config.dirman_password ], raiseonerr=False) assert_error( result, "Cannot promote this client to a replica. Local domain " "'%s' does not match IPA domain " "'%s'" % (self.domain_name, self.master.domain.name))
def check_removal_disconnects_topology( host, hostname_to_remove, affected_suffixes=(DOMAIN_SUFFIX_NAME, )): result = tasks.run_server_del(host, hostname_to_remove) assert len(affected_suffixes) <= 2 err_messages_by_suffix = { CA_SUFFIX_NAME: REMOVAL_ERR_TEMPLATE.format(hostname=hostname_to_remove, suffix=CA_SUFFIX_NAME), DOMAIN_SUFFIX_NAME: REMOVAL_ERR_TEMPLATE.format(hostname=hostname_to_remove, suffix=DOMAIN_SUFFIX_NAME) } for suffix, err_str in err_messages_by_suffix.items(): if suffix in affected_suffixes: tasks.assert_error(result, err_str, returncode=1) else: assert err_str not in result.stderr_text
def test_replica_after_domain_upgrade(self): tasks.kinit_admin(self.master) tasks.kinit_admin(self.replicas[0]) self.master.run_command([ 'ipa', 'user-add', self.username, '--first', 'test', '--last', 'user' ]) tasks.wait_for_replication(self.replicas[0].ldap_connect()) self.master.run_command( ['ipa', 'domainlevel-set', str(DOMAIN_LEVEL_1)]) result = self.replicas[0].run_command( ['ipa', 'user-show', self.username]) assert ("User login: %s" % self.username in result.stdout_text), ( "A testuser was not found on replica after domain upgrade") self.replicas[0].run_command(['ipa', 'user-del', self.username]) tasks.wait_for_replication(self.master.ldap_connect()) result1 = self.master.run_command(['ipa', 'user-show', self.username], raiseonerr=False) assert_error(result1, "%s: user not found" % self.username, 2)
def test_krbtpolicy_otp(self): """Test otp ticket policy""" master = self.master tasks.kinit_admin(self.master) master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type', 'otp']) master.run_command(['ipa', 'config-mod', '--user-auth-type', 'otp']) master.run_command(['ipa', 'krbtpolicy-mod', USER1, '--otp-maxrenew=90', '--otp-maxlife=60']) armor = tasks.create_temp_file(self.master, create_file=False) otpuid, totp = add_otptoken(master, USER1, otptype="totp") otpvalue = totp.generate(int(time.time())).decode("ascii") try: tasks.kdestroy_all(master) # create armor for FAST master.run_command(['kinit', '-n', '-c', armor]) # expect ticket expire in otp-maxlife=60 seconds master.run_command( ['kinit', '-T', armor, USER1, '-r', '90'], stdin_text='{0}{1}\n'.format(PASSWORD, otpvalue)) master.run_command(['ipa', 'user-find', USER1]) time.sleep(30) # when user kerberos ticket expired but still within renew time, # kinit -R should give user new life master.run_command(['kinit', '-R', USER1]) master.run_command(['ipa', 'user-find', USER1]) time.sleep(60) # when renew time expires, kinit -R should fail result1 = master.run_command(['kinit', '-R', USER1], raiseonerr=False) tasks.assert_error( result1, "kinit: Ticket expired while renewing credentials", 1) master.run_command(['ipa', 'user-find', USER1], ok_returncode=1) finally: del_otptoken(master, otpuid) reset_to_default_policy(master, USER1) self.master.run_command(['rm', '-f', armor]) master.run_command(['ipa', 'config-mod', '--user-auth-type='])
def check_removal_disconnects_topology( host, hostname_to_remove, affected_suffixes=(DOMAIN_SUFFIX_NAME,)): result = tasks.run_server_del(host, hostname_to_remove) assert len(affected_suffixes) <= 2 err_messages_by_suffix = { CA_SUFFIX_NAME: REMOVAL_ERR_TEMPLATE.format( hostname=hostname_to_remove, suffix=CA_SUFFIX_NAME ), DOMAIN_SUFFIX_NAME: REMOVAL_ERR_TEMPLATE.format( hostname=hostname_to_remove, suffix=DOMAIN_SUFFIX_NAME ) } for suffix in err_messages_by_suffix: if suffix in affected_suffixes: tasks.assert_error( result, err_messages_by_suffix[suffix], returncode=1) else: assert err_messages_by_suffix[suffix] not in result.stderr_text
def test_kra_install_without_replica_file(self): master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] tasks.install_kra(master, first_instance=True) tasks.install_replica(master, replica1) result1 = tasks.install_kra(replica1, domain_level=DOMAIN_LEVEL_1, raiseonerr=False) assert_error(result1, "A replica file is required", 1) tasks.install_kra(replica1, domain_level=DOMAIN_LEVEL_0, raiseonerr=True) # Now prepare the replica file, copy it to the client and raise # domain level on master to test the reverse situation tasks.replica_prepare(master, replica2) master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)]) tasks.install_replica(master, replica2) result2 = tasks.install_kra(replica2, domain_level=DOMAIN_LEVEL_0, raiseonerr=False) assert_error(result2, "No replica file is required", 1) tasks.install_kra(replica2)
def test_removal_of_master_raises_error_about_dnssec(self): tasks.assert_error( tasks.run_server_del(self.replicas[0], self.master.hostname), "Replica is active DNSSEC key master. Uninstall " "could break your DNS system. Please disable or replace " "DNSSEC key master first.", 1)
def test_replica_manage_commands(self): """ TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan #Test_case:_ipa-replica-manage_connect_is_deprecated_in_domain_level_1 """ master = self.master replica1 = self.replicas[0] replica2 = self.replicas[1] result1 = master.run_command([ "ipa-replica-manage", "connect", replica1.hostname, replica2.hostname ], raiseonerr=False) assert result1.returncode == 0, result1.stderr_text result2 = master.run_command([ "ipa-replica-manage", "disconnect", replica1.hostname, replica2.hostname ], raiseonerr=False) assert result2.returncode == 0, result2.stderr_text master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)]) result3 = master.run_command([ "ipa-replica-manage", "connect", replica1.hostname, replica2.hostname ], raiseonerr=False) assert_error( result3, 'Creation of IPA replication agreement is' ' deprecated with managed IPA replication' ' topology. Please use `ipa topologysegment-*`' ' commands to manage the topology', 1) segment = tasks.create_segment(master, replica1, replica2) result4 = master.run_command([ "ipa-replica-manage", "disconnect", replica1.hostname, replica2.hostname ], raiseonerr=False) assert_error( result4, 'Removal of IPA replication agreement is' ' deprecated with managed IPA replication' ' topology. Please use `ipa topologysegment-*`' ' commands to manage the topology', 1) # http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan #Test_case:_ipa-csreplica-manage_connect_is_deprecated #_in_domain_level_1 result5 = master.run_command([ 'ipa-csreplica-manage', 'del', replica1.hostname, '-p', master.config.dirman_password ], raiseonerr=False) assert_error( result5, "Removal of IPA CS replication agreement" " and replication data is deprecated with" " managed IPA replication topology", 1) tasks.destroy_segment(master, segment[0]['name']) result6 = master.run_command([ "ipa-csreplica-manage", "connect", replica1.hostname, replica2.hostname, '-p', master.config.dirman_password ], raiseonerr=False) assert_error( result6, "Creation of IPA CS replication agreement is" " deprecated with managed IPA replication" " topology", 1) tasks.create_segment(master, replica1, replica2) result7 = master.run_command([ "ipa-csreplica-manage", "disconnect", replica1.hostname, replica2.hostname, '-p', master.config.dirman_password ], raiseonerr=False) assert_error( result7, "Removal of IPA CS replication agreement is" " deprecated with managed IPA" " replication topology", 1)