def test_full_backup_and_restore_with_selinux_booleans_off(self):
"""regression test for https://fedorahosted.org/freeipa/ticket/4157"""
with restore_checker(self.master):
backup_path = tasks.get_backup_dir(self.master)
logger.info('Backup path for %s is %s', self.master, backup_path)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
self.master.run_command([
'setsebool', '-P',
'httpd_can_network_connect=off',
'httpd_manage_ipa=off',
])
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
result = self.master.run_command([
'getsebool',
'httpd_can_network_connect',
'httpd_manage_ipa',
])
assert 'httpd_can_network_connect --> on' in result.stdout_text
assert 'httpd_manage_ipa --> on' in result.stdout_text
def test_restore_trust_pkg_before_restore(self):
"""Test restore with adtrust when trust-ad pkg is missing.
Test for bug https://pagure.io/freeipa/issue/7630.
"""
tasks.install_packages(self.master, ['*ipa-server-trust-ad'])
self.master.run_command(['ipa-adtrust-install', '-U',
'--enable-compat', '--netbios-name', 'IPA',
'-a', self.master.config.admin_password,
'--add-sids'])
with restore_checker(self.master):
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
tasks.uninstall_packages(self.master, ['*ipa-server-trust-ad'])
dirman_password = self.master.config.dirman_password
result = self.master.run_command(
['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes',
raiseonerr=False)
assert 'Please install the package' in result.stderr_text
tasks.install_packages(self.master, ['*ipa-server-trust-ad'])
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
def test_full_backup_and_restore(self):
"""backup, uninstall, restore"""
with restore_checker(self.master):
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
assert not self.master.transport.file_exists(
paths.IPA_CUSTODIA_KEYS)
assert not self.master.transport.file_exists(
paths.IPA_CUSTODIA_CONF)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# check the file permssion and ownership is set to 770 and
# dirsrv:dirsrv after restore on /var/log/dirsrv/slapd-<instance>
# related ticket : https://pagure.io/freeipa/issue/7725
instance = realm_to_serverid(self.master.domain.realm)
log_path = paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % instance
cmd = self.master.run_command(['stat', '-c',
'"%a %G:%U"', log_path])
assert "770 dirsrv:dirsrv" in cmd.stdout_text
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = tasks.get_backup_dir(self.master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
entry_ldif = (
"dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname,
suffix=suffix)
# disable replication agreement
tasks.ldapmodify_dm(master, entry_ldif)
# uninstall master.
tasks.uninstall_master(master, clean=False)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = ['ipa',
'topologysegment-reinitialize',
topo_suffix,
topo_name,
'--left']
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def test_userroot_ldif_files_ownership_and_permission(self):
"""backup, uninstall, restore, backup"""
tasks.install_master(self.master)
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
# set umask to 077 just to check if restore success.
self.master.run_command('echo "umask 0077" >> /root/.bashrc')
result = self.master.run_command(['umask'])
assert '0077' in result.stdout_text
dirman_password = self.master.config.dirman_password
result = self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert 'Temporary setting umask to 022' in result.stderr_text
# check if umask reset to 077 after restore.
result = self.master.run_command(['umask'])
assert '0077' in result.stdout_text
# check if files have proper owner and group.
dashed_domain = self.master.domain.realm.replace(".", '-')
arg = ['stat',
'-c', '%U:%G',
'{}/ldif/'.format(
paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
dashed_domain)]
cmd = self.master.run_command(arg)
expected = '{}:{}'.format(constants.DS_USER, constants.DS_GROUP)
assert expected in cmd.stdout_text
# also check of access rights are set to 644.
arg = ['stat',
'-c', '%U:%G:%a',
'{}/ldif/{}-ipaca.ldif'.format(
paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
dashed_domain, dashed_domain)]
cmd = self.master.run_command(arg)
assert '{}:644'.format(expected) in cmd.stdout_text
arg = ['stat',
'-c', '%U:%G:%a',
'{}/ldif/{}-userRoot.ldif'.format(
paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
dashed_domain, dashed_domain)]
cmd = self.master.run_command(arg)
assert '{}:644'.format(expected) in cmd.stdout_text
cmd = self.master.run_command(['ipa-backup', '-d'])
unexp_str = "CRITICAL: db2ldif failed:"
assert cmd.returncode == 0
assert unexp_str not in cmd.stdout_text
def test_restore_bad_dm_password(self):
"""backup, uninstall, restore, wrong DM password (expect failure)"""
with restore_checker(self.master):
backup_path = tasks.get_backup_dir(self.master)
# No uninstall, just pure restore, the only case where
# prompting for the DM password matters.
result = self.master.run_command(['ipa-restore', backup_path],
stdin_text='badpass\nyes',
raiseonerr=False)
assert result.returncode == 1
def test_restore_dirsrv_not_running(self):
"""backup, restore, dirsrv not running (expect failure)"""
# Flying blind without the restore_checker so we can have
# an error thrown when dirsrv is down.
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(['ipactl', 'stop'])
dirman_password = self.master.config.dirman_password
result = self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes',
raiseonerr=False)
assert result.returncode == 1
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore.
Test for bug https://pagure.io/freeipa/issue/7630.
"""
with restore_checker(self.master):
self.master.run_command([
'ipa',
'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
tasks.uninstall_packages(self.master, ['*ipa-server-dns'])
dirman_password = self.master.config.dirman_password
result = self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password +
'\nyes',
raiseonerr=False)
assert 'Please install the package' in result.stderr_text
tasks.install_packages(self.master, ['*ipa-server-dns'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
if reinstall:
# If the server was reinstalled, reinstall may have changed
# the uid and restore reverts to the original value.
# clear the cache to make sure we get up-to-date values
tasks.clear_sssd_cache(self.master)
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa',
'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def _full_backup_restore_with_vault(self, reinstall=False):
with restore_checker(self.master):
# create vault
self.master.run_command([
"ipa", "vault-add",
self.vault_name,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.master.run_command([
"ipa", "vault-archive",
self.vault_name,
"--password", self.vault_password,
"--data", self.vault_data,
])
# retrieve secret
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
backup_path = tasks.get_backup_dir(self.master)
# check that no error message in uninstall log for KRA instance
cmd = self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
assert "failed to uninstall KRA" not in cmd.stderr_text
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
# retrieve secret after restore
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False):
with restore_checker(self.master):
self.master.run_command([
'ipa',
'dnszone-add',
self.example_test_zone,
'--dnssec',
'true',
])
assert (wait_until_record_is_signed(
self.master.ip, self.example_test_zone)), "Zone is not signed"
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
if reinstall:
# If the server was reinstalled, reinstall may have changed
# the uid and restore reverts to the original value.
# clear the cache to make sure we get up-to-date values
tasks.clear_sssd_cache(self.master)
assert (wait_until_record_is_signed(
self.master.ip,
self.example_test_zone)), "Zone is not signed after restore"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa',
'dnszone-add',
self.example2_test_zone,
'--dnssec',
'true',
])
assert (wait_until_record_is_signed(
self.master.ip,
self.example2_test_zone)), "A new zone is not signed"
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False):
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed"
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed after restore"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example2_test_zone)
), "A new zone is not signed"
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore.
Test for bug https://pagure.io/freeipa/issue/7630.
"""
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
tasks.uninstall_packages(self.master, ['*ipa-server-dns'])
dirman_password = self.master.config.dirman_password
result = self.master.run_command(
['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes',
raiseonerr=False)
assert 'Please install the package' in result.stderr_text
tasks.install_packages(self.master, ['*ipa-server-dns'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_idp_backup_restore(self):
"""
Test case to check that after restore data is retrieved
with related idp configuration.
"""
tasks.kinit_admin(self.master)
user = "******"
cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
"--base-url={0}:8443/auth".format(self.client.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
self.client.config.admin_password))
tasks.user_add(self.master, user,
extra_args=["--user-auth-type=idp",
"[email protected]",
"--idp=testidp"]
)
backup_path = tasks.get_backup_dir(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', user])
self.master.run_command(['ipa', 'idp-del', 'testidp'])
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
try:
list_user = self.master.run_command(
['ipa', 'user-show', 'backupuser', '--all']
).stdout_text
assert "External IdP configuration: testidp" in list_user
assert "User authentication types: idp" in list_user
assert ("External IdP user identifier: "
"*****@*****.**") in list_user
list_idp = self.master.run_command(['ipa', 'idp-find', 'testidp'])
assert "testidp" in list_idp.stdout_text
kinit_idp(self.master, user, self.client)
finally:
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
self.master.run_command(["rm", "-rf", backup_path])
self.master.run_command(["ipa", "idp-del", "testidp"])
def test_full_backup_and_restore_with_removed_users(self):
"""regression test for https://fedorahosted.org/freeipa/ticket/3866"""
with restore_checker(self.master):
backup_path = tasks.get_backup_dir(self.master)
logger.info('Backup path for %s is %s', self.master, backup_path)
self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
homedir = os.path.join(self.master.config.test_dir,
'testuser_homedir')
self.master.run_command(
['useradd', 'ipatest_user1', '--system', '-d', homedir])
try:
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
finally:
self.master.run_command(['userdel', 'ipatest_user1'])
def test_hidden_replica_backup_and_restore(self):
"""Exercises backup+restore and hidden replica uninstall
"""
self._check_server_role(self.replicas[0], 'hidden')
# backup
backup_path = tasks.get_backup_dir(self.replicas[0])
# uninstall
tasks.uninstall_master(self.replicas[0])
# restore
dirman_password = self.master.config.dirman_password
self.replicas[0].run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
# restore turns a hidden replica into an enabled replica
# https://pagure.io/freeipa/issue/7894
self._check_config([self.master, self.replicas[0]])
self._check_server_role(self.replicas[0], 'enabled')
def test_hidden_replica_backup_and_restore(self):
"""Exercises backup+restore and hidden replica uninstall
"""
self._check_server_role(self.replicas[0], 'hidden')
# backup
backup_path = tasks.get_backup_dir(self.replicas[0])
# uninstall
tasks.uninstall_master(self.replicas[0])
# restore
dirman_password = self.master.config.dirman_password
self.replicas[0].run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# give replication some time
time.sleep(5)
tasks.kinit_admin(self.replicas[0])
# FIXME: restore turns hidden replica into enabled replica
self._check_config([self.master, self.replicas[0]])
self._check_server_role(self.replicas[0], 'enabled')
def test_full_backup_and_restore_with_replica(self, cert_sign_request):
# check prerequisites
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
self.master.run_command(
['ipa', 'service-add', 'TEST/' + self.master.hostname])
tasks.user_add(self.master, 'test1_master')
tasks.user_add(self.replica1, 'test1_replica')
with restore_checker(self.master):
backup_path = tasks.get_backup_dir(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', 'test1_master'])
self.replica1.run_command(['ipa', 'user-del', 'test1_replica'])
tasks.user_add(self.master, 'test2_master')
tasks.user_add(self.replica1, 'test2_replica')
# simulate master crash
self.master.run_command(['ipactl', 'stop'])
tasks.uninstall_master(self.master, clean=False)
logger.info("Stopping and disabling oddjobd service")
self.master.run_command([
"systemctl", "stop", "oddjobd"
])
self.master.run_command([
"systemctl", "disable", "oddjobd"
])
self.master.run_command(['ipa-restore', '-U', backup_path])
status = self.master.run_command([
"systemctl", "status", "oddjobd"
])
assert "active (running)" in status.stdout_text
# replication should not work after restoration
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test3_master')
tasks.user_add(self.replica1, 'test3_replica')
self.check_replication_error(self.master)
self.check_replication_error(self.replica1)
assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \
self.get_users(self.master)
assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \
self.get_users(self.replica1)
# reestablish and check replication
self.replica1.run_command(['ipa-replica-manage', 're-initialize',
'--from', self.master.hostname])
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test4_master')
tasks.user_add(self.replica1, 'test4_replica')
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.master)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.replica1)
# CA on master should be accesible from master and replica
self.request_test_service_cert(
self.master, cert_sign_request[self.master.hostname])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
# replica should not be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname],
expect_connection_error=True)
finally:
self.master.run_command(['ipactl', 'start'])
tasks.install_ca(self.replica1)
# now replica should be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
self.master.run_command(['ipactl', 'start'])
# check installation of new replica
tasks.install_replica(self.master, self.replica2, setup_ca=True)
check_replication(self.master, self.replica2, "testuser")
# new replica should be able to sign certificates without CA on master
# and old replica
self.master.run_command(['ipactl', 'stop'])
self.replica1.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica2, cert_sign_request[self.replica2.hostname])
finally:
self.replica1.run_command(['ipactl', 'start'])
self.master.run_command(['ipactl', 'start'])
def _full_backup_restore_with_vault(self, reinstall=False):
with restore_checker(self.master):
# create vault
self.master.run_command([
"ipa",
"vault-add",
self.vault_name,
"--password",
self.vault_password,
"--type",
"symmetric",
])
# archive secret
self.master.run_command([
"ipa",
"vault-archive",
self.vault_name,
"--password",
self.vault_password,
"--data",
self.vault_data,
])
# retrieve secret
self.master.run_command([
"ipa",
"vault-retrieve",
self.vault_name,
"--password",
self.vault_password,
])
backup_path = tasks.get_backup_dir(self.master)
# check that no error message in uninstall log for KRA instance
cmd = self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
assert "failed to uninstall KRA" not in cmd.stderr_text
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
if reinstall:
# If the server was reinstalled, reinstall may have changed
# the uid and restore reverts to the original value.
# clear the cache to make sure we get up-to-date values
tasks.clear_sssd_cache(self.master)
tasks.kinit_admin(self.master)
# retrieve secret after restore
self.master.run_command([
"ipa",
"vault-retrieve",
self.vault_name,
"--password",
self.vault_password,
])
