def test_wrong_client_domain(self):
client = self.replicas[0]
client.run_command(
[
"ipa-client-install",
"-U",
"--domain",
self.domain_name,
"--realm",
self.master.domain.realm,
"-p",
"admin",
"-w",
self.master.config.admin_password,
"--server",
self.master.hostname,
"--force-join",
]
)
result = client.run_command(
["ipa-replica-install", "-U", "-w", self.master.config.dirman_password], raiseonerr=False
)
assert_error(
result,
"Cannot promote this client to a replica. Local domain "
"'%s' does not match IPA domain "
"'%s'" % (self.domain_name, self.master.domain.name),
)
def test_ca_install_without_replica_file(self):
"""
TestCase:
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#Test_case:
_ipa-ca-install_with_replica_file_works_only_on_domain_level_0
"""
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
for replica in self.replicas:
tasks.install_replica(master, replica, setup_ca=False,
setup_dns=True)
result1 = tasks.install_ca(replica1,
domain_level=DOMAIN_LEVEL_1,
raiseonerr=False)
assert_error(result1, "If you wish to replicate CA to this host,"
" please re-run 'ipa-ca-install'\nwith a"
" replica file generated on an existing CA"
" master as argument.", 1)
tasks.install_ca(replica1, domain_level=DOMAIN_LEVEL_0)
# Now prepare the replica file, copy it to the client and raise
# domain level on master to test the reverse situation
master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)])
result2 = tasks.install_ca(replica2,
domain_level=DOMAIN_LEVEL_0,
raiseonerr=False)
assert_error(result2, 'Too many parameters provided.'
' No replica file is required', 1)
tasks.install_ca(replica2, domain_level=DOMAIN_LEVEL_1)
def check_master_removal(host, hostname_to_remove,
force=False,
ignore_topology_disconnect=False,
ignore_last_of_role=False):
result = tasks.run_server_del(
host,
hostname_to_remove,
force=force,
ignore_topology_disconnect=ignore_topology_disconnect,
ignore_last_of_role=ignore_last_of_role)
assert result.returncode == 0
if force:
assert ("Forcing removal of {hostname}".format(
hostname=hostname_to_remove) in result.stderr_text)
if ignore_topology_disconnect:
assert "Ignoring topology connectivity errors." in result.stderr_text
if ignore_last_of_role:
assert ("Ignoring these warnings and proceeding with removal" in
result.stderr_text)
tasks.assert_error(
host.run_command(
['ipa', 'server-show', hostname_to_remove], raiseonerr=False
),
"{}: server not found".format(hostname_to_remove),
returncode=2
)
def test_promotion_disabled(self):
"""
Testcase:
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#Test_case:
_Make_sure_the_feature_is_unavailable_under_domain_level_0
"""
client = self.replicas[0]
tasks.install_client(self.master, client)
args = [
"ipa-replica-install",
"-U",
"-p",
self.master.config.dirman_password,
"-w",
self.master.config.admin_password,
"--ip-address",
client.ip,
]
result = client.run_command(args, raiseonerr=False)
assert_error(
result,
"You must provide a file generated by ipa-replica-prepare"
" to create a replica when the domain is at level 0",
1,
)
def test_ca_install_without_replica_file(self):
"""
TestCase:
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#Test_case:
_ipa-ca-install_with_replica_file_works_only_on_domain_level_0
"""
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
for replica in self.replicas:
tasks.install_replica(master,
replica,
setup_ca=False,
setup_dns=True)
result1 = tasks.install_ca(replica1,
domain_level=DOMAIN_LEVEL_1,
raiseonerr=False)
assert_error(
result1, "If you wish to replicate CA to this host,"
" please re-run 'ipa-ca-install'\nwith a"
" replica file generated on an existing CA"
" master as argument.", 1)
tasks.install_ca(replica1, domain_level=DOMAIN_LEVEL_0)
# Now prepare the replica file, copy it to the client and raise
# domain level on master to test the reverse situation
master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)])
result2 = tasks.install_ca(replica2,
domain_level=DOMAIN_LEVEL_0,
raiseonerr=False)
assert_error(
result2, 'Too many parameters provided.'
' No replica file is required', 1)
tasks.install_ca(replica2, domain_level=DOMAIN_LEVEL_1)
def test_removal_of_master_raises_error_about_dnssec(self):
tasks.assert_error(
tasks.run_server_del(self.replicas[0], self.master.hostname),
"Replica is active DNSSEC key master. Uninstall "
"could break your DNS system. Please disable or replace "
"DNSSEC key master first.",
1
)
def test_client_enrollment_by_unprivileged_user(self):
replica = self.replicas[0]
result1 = replica.run_command([
'ipa-client-install', '-p', self.username, '-w', self.new_password,
'--domain', replica.domain.name, '--realm', replica.domain.realm,
'-U', '--server', self.master.hostname
],
raiseonerr=False)
assert_error(result1, "No permission to join this host", 1)
def test_replica_prepare_disabled(self):
replica = self.replicas[0]
args = ['ipa-replica-prepare',
'-p', self.master.config.dirman_password,
'--ip-address', replica.ip,
replica.hostname]
result = self.master.run_command(args, raiseonerr=False)
assert_error(result, "Replica creation using 'ipa-replica-prepare'"
" to generate replica file\n"
"is supported only in 0-level IPA domain", 1)
def test_client_enrollment_by_unprivileged_user(self):
replica = self.replicas[0]
result1 = replica.run_command(['ipa-client-install',
'-p', self.username,
'-w', self.new_password,
'--domain', replica.domain.name,
'--realm', replica.domain.realm, '-U',
'--server', self.master.hostname],
raiseonerr=False)
assert_error(result1, "No permission to join this host", 1)
def test_removal_of_master_raises_error_about_last_ca(self):
"""
test that removal of master fails on the last
"""
tasks.assert_error(
tasks.run_server_del(self.replicas[0], self.master.hostname),
"Deleting this server is not allowed as it would leave your "
"installation without a CA.",
1
)
def test_removal_of_master_raises_error_about_last_dns(self):
"""
Now server-del should complain about the removal of last DNS server
"""
tasks.assert_error(
tasks.run_server_del(self.replicas[0], self.master.hostname),
"Deleting this server will leave your installation "
"without a DNS.",
1
)
def test_removal_of_nonexistent_master_raises_error(self):
"""
tests that removal of non-existent master raises an error
"""
hostname = u'bogus-master.bogus.domain'
err_message = "{}: server not found".format(hostname)
tasks.assert_error(
tasks.run_server_del(self.client, hostname),
err_message,
returncode=2
)
def test_replica_promotion_by_unprivileged_user(self):
replica = self.replicas[0]
tasks.install_client(self.master, replica)
result2 = replica.run_command([
'ipa-replica-install', '-P', self.username, '-p',
self.new_password, '-n', self.master.domain.name, '-r',
self.master.domain.realm
],
raiseonerr=False)
assert_error(result2, "Insufficient privileges to promote the server",
1)
def test_replica_prepare_disabled(self):
replica = self.replicas[0]
args = [
'ipa-replica-prepare', '-p', self.master.config.dirman_password,
'--ip-address', replica.ip, replica.hostname
]
result = self.master.run_command(args, raiseonerr=False)
assert_error(
result, "Replica creation using 'ipa-replica-prepare'"
" to generate replica file\n"
"is supported only in 0-level IPA domain", 1)
def test_replica_promotion_by_unprivileged_user(self):
replica = self.replicas[0]
tasks.install_client(self.master, replica)
result2 = replica.run_command(['ipa-replica-install',
'-P', self.username,
'-p', self.new_password,
'-n', self.master.domain.name,
'-r', self.master.domain.realm],
raiseonerr=False)
assert_error(result2,
"Insufficient privileges to promote the server", 1)
def test_replica_uninstallation_prohibited(self):
"""
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
#Test_case:_Prohibit_ipa_server_uninstallation_from_disconnecting
_topology_segment
"""
result = self.replicas[0].run_command(["ipa-server-install", "--uninstall", "-U"], raiseonerr=False)
# Due to ticket 3230 server installation/uninstallation always returns
# 0 unless an uncaught exception occurs. Once this issue is properly
# addressed, please care to change expected return code in the
# following assert from 0 to something else.
assert_error(result, "Removal of '%s' leads to disconnected" " topology" % self.replicas[0].hostname, 0)
self.replicas[0].run_command(["ipa-server-install", "--uninstall", "-U", "--ignore-topology-disconnect"])
def test_replica_uninstallation_prohibited(self):
"""
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
#Test_case:_Prohibit_ipa_server_uninstallation_from_disconnecting
_topology_segment
"""
result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
raiseonerr=False)
assert_error(result, "Removal of '%s' leads to disconnected"
" topology" % self.replicas[0].hostname, 1)
self.replicas[0].run_command(['ipa-server-install', '--uninstall',
'-U', '--ignore-topology-disconnect'])
def test_replica_after_domain_upgrade(self):
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
self.master.run_command(["ipa", "user-add", self.username, "--first", "test", "--last", "user"])
tasks.wait_for_replication(self.replicas[0].ldap_connect())
self.master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)])
result = self.replicas[0].run_command(["ipa", "user-show", self.username])
assert (
"User login: %s" % self.username in result.stdout_text
), "A testuser was not found on replica after domain upgrade"
self.replicas[0].run_command(["ipa", "user-del", self.username])
tasks.wait_for_replication(self.master.ldap_connect())
result1 = self.master.run_command(["ipa", "user-show", self.username], raiseonerr=False)
assert_error(result1, "%s: user not found" % self.username, 2)
def test_replica_uninstallation_prohibited(self):
"""
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
#Test_case:_Prohibit_ipa_server_uninstallation_from_disconnecting
_topology_segment
"""
result = self.replicas[0].run_command(
['ipa-server-install', '--uninstall', '-U'], raiseonerr=False)
assert_error(
result, "Removal of '%s' leads to disconnected"
" topology" % self.replicas[0].hostname, 1)
self.replicas[0].run_command([
'ipa-server-install', '--uninstall', '-U',
'--ignore-topology-disconnect'
])
def test_kra_install_without_replica_file(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_kra(master, first_instance=True)
tasks.install_replica(master, replica1)
result1 = tasks.install_kra(replica1, domain_level=DOMAIN_LEVEL_1, raiseonerr=False)
assert_error(result1, "A replica file is required", 1)
tasks.install_kra(replica1, domain_level=DOMAIN_LEVEL_0, raiseonerr=True)
# Now prepare the replica file, copy it to the client and raise
# domain level on master to test the reverse situation
tasks.replica_prepare(master, replica2)
master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)])
tasks.install_replica(master, replica2)
result2 = tasks.install_kra(replica2, domain_level=DOMAIN_LEVEL_0, raiseonerr=False)
assert_error(result2, "No replica file is required", 1)
tasks.install_kra(replica2)
def test_wrong_client_domain(self):
client = self.replicas[0]
client.run_command([
'ipa-client-install', '-U', '--domain', self.domain_name,
'--realm', self.master.domain.realm, '-p', 'admin', '-w',
self.master.config.admin_password, '--server',
self.master.hostname, '--force-join'
])
result = client.run_command([
'ipa-replica-install', '-U', '-w',
self.master.config.dirman_password
],
raiseonerr=False)
assert_error(
result, "Cannot promote this client to a replica. Local domain "
"'%s' does not match IPA domain "
"'%s'" % (self.domain_name, self.master.domain.name))
def test_promotion_disabled(self):
"""
Testcase:
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan#Test_case:
_Make_sure_the_feature_is_unavailable_under_domain_level_0
"""
client = self.replicas[0]
tasks.install_client(self.master, client)
args = [
'ipa-replica-install', '-U', '-p',
self.master.config.dirman_password, '-w',
self.master.config.admin_password, '--ip-address', client.ip
]
result = client.run_command(args, raiseonerr=False)
assert_error(
result, 'You must provide a file generated by ipa-replica-prepare'
' to create a replica when the domain is at level 0', 1)
def test_replica_after_domain_upgrade(self):
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
self.master.run_command([
'ipa', 'user-add', self.username, '--first', 'test', '--last',
'user'
])
tasks.wait_for_replication(self.replicas[0].ldap_connect())
self.master.run_command(
['ipa', 'domainlevel-set',
str(DOMAIN_LEVEL_1)])
result = self.replicas[0].run_command(
['ipa', 'user-show', self.username])
assert ("User login: %s" % self.username in result.stdout_text), (
"A testuser was not found on replica after domain upgrade")
self.replicas[0].run_command(['ipa', 'user-del', self.username])
tasks.wait_for_replication(self.master.ldap_connect())
result1 = self.master.run_command(['ipa', 'user-show', self.username],
raiseonerr=False)
assert_error(result1, "%s: user not found" % self.username, 2)
def test_client_enrollment_by_unprivileged_user(self):
replica = self.replicas[0]
result1 = replica.run_command(
[
"ipa-client-install",
"-p",
self.username,
"-w",
self.new_password,
"--domain",
replica.domain.name,
"--realm",
replica.domain.realm,
"-U",
"--server",
self.master.hostname,
],
raiseonerr=False,
)
assert_error(result1, "No permission to join this host", 1)
def test_kra_install_without_replica_file(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_kra(master, first_instance=True)
tasks.install_replica(master, replica1)
result1 = tasks.install_kra(replica1,
domain_level=DOMAIN_LEVEL_1,
raiseonerr=False)
assert_error(result1, "A replica file is required", 1)
tasks.install_kra(replica1,
domain_level=DOMAIN_LEVEL_0,
raiseonerr=True)
# Now prepare the replica file, copy it to the client and raise
# domain level on master to test the reverse situation
tasks.replica_prepare(master, replica2)
master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)])
tasks.install_replica(master, replica2)
result2 = tasks.install_kra(replica2,
domain_level=DOMAIN_LEVEL_0,
raiseonerr=False)
assert_error(result2, "No replica file is required", 1)
tasks.install_kra(replica2)
def check_removal_disconnects_topology(
host, hostname_to_remove,
affected_suffixes=(DOMAIN_SUFFIX_NAME,)):
result = tasks.run_server_del(host, hostname_to_remove)
assert len(affected_suffixes) <= 2
err_messages_by_suffix = {
CA_SUFFIX_NAME: REMOVAL_ERR_TEMPLATE.format(
hostname=hostname_to_remove,
suffix=CA_SUFFIX_NAME
),
DOMAIN_SUFFIX_NAME: REMOVAL_ERR_TEMPLATE.format(
hostname=hostname_to_remove,
suffix=DOMAIN_SUFFIX_NAME
)
}
for suffix in err_messages_by_suffix:
if suffix in affected_suffixes:
tasks.assert_error(
result, err_messages_by_suffix[suffix], returncode=1)
else:
assert err_messages_by_suffix[suffix] not in result.stderr_text
def test_replica_manage_commands(self):
"""
TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
#Test_case:_ipa-replica-manage_connect_is_deprecated_in_domain_level_1
"""
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
result1 = master.run_command([
"ipa-replica-manage", "connect", replica1.hostname,
replica2.hostname
],
raiseonerr=False)
assert result1.returncode == 0, result1.stderr_text
result2 = master.run_command([
"ipa-replica-manage", "disconnect", replica1.hostname,
replica2.hostname
],
raiseonerr=False)
assert result2.returncode == 0, result2.stderr_text
master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)])
result3 = master.run_command([
"ipa-replica-manage", "connect", replica1.hostname,
replica2.hostname
],
raiseonerr=False)
assert_error(
result3, 'Creation of IPA replication agreement is'
' deprecated with managed IPA replication'
' topology. Please use `ipa topologysegment-*`'
' commands to manage the topology', 1)
segment = tasks.create_segment(master, replica1, replica2)
result4 = master.run_command([
"ipa-replica-manage", "disconnect", replica1.hostname,
replica2.hostname
],
raiseonerr=False)
assert_error(
result4, 'Removal of IPA replication agreement is'
' deprecated with managed IPA replication'
' topology. Please use `ipa topologysegment-*`'
' commands to manage the topology', 1)
# http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
#Test_case:_ipa-csreplica-manage_connect_is_deprecated
#_in_domain_level_1
result5 = master.run_command([
'ipa-csreplica-manage', 'del', replica1.hostname, '-p',
master.config.dirman_password
],
raiseonerr=False)
assert_error(
result5, "Removal of IPA CS replication agreement"
" and replication data is deprecated with"
" managed IPA replication topology", 1)
tasks.destroy_segment(master, segment[0]['name'])
result6 = master.run_command([
"ipa-csreplica-manage", "connect", replica1.hostname,
replica2.hostname, '-p', master.config.dirman_password
],
raiseonerr=False)
assert_error(
result6, "Creation of IPA CS replication agreement is"
" deprecated with managed IPA replication"
" topology", 1)
tasks.create_segment(master, replica1, replica2)
result7 = master.run_command([
"ipa-csreplica-manage", "disconnect", replica1.hostname,
replica2.hostname, '-p', master.config.dirman_password
],
raiseonerr=False)
assert_error(
result7, "Removal of IPA CS replication agreement is"
" deprecated with managed IPA"
" replication topology", 1)
def test_replica_manage_commands(self):
"""
TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
#Test_case:_ipa-replica-manage_connect_is_deprecated_in_domain_level_1
"""
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
result1 = master.run_command(["ipa-replica-manage",
"connect",
replica1.hostname,
replica2.hostname],
raiseonerr=False)
assert result1.returncode == 0, result1.stderr_text
result2 = master.run_command(["ipa-replica-manage",
"disconnect",
replica1.hostname,
replica2.hostname],
raiseonerr=False)
assert result2.returncode == 0, result2.stderr_text
master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)])
result3 = master.run_command(["ipa-replica-manage",
"connect",
replica1.hostname,
replica2.hostname],
raiseonerr=False)
assert_error(result3, 'Creation of IPA replication agreement is'
' deprecated with managed IPA replication'
' topology. Please use `ipa topologysegment-*`'
' commands to manage the topology', 1)
segment = tasks.create_segment(master, replica1, replica2)
result4 = master.run_command(["ipa-replica-manage",
"disconnect",
replica1.hostname,
replica2.hostname],
raiseonerr=False)
assert_error(result4, 'Removal of IPA replication agreement is'
' deprecated with managed IPA replication'
' topology. Please use `ipa topologysegment-*`'
' commands to manage the topology', 1)
# http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
#Test_case:_ipa-csreplica-manage_connect_is_deprecated
#_in_domain_level_1
result5 = master.run_command(['ipa-csreplica-manage', 'del',
replica1.hostname,
'-p', master.config.dirman_password],
raiseonerr=False)
assert_error(result5, "Removal of IPA CS replication agreement"
" and replication data is deprecated with"
" managed IPA replication topology", 1)
tasks.destroy_segment(master, segment[0]['name'])
result6 = master.run_command(["ipa-csreplica-manage",
"connect",
replica1.hostname,
replica2.hostname,
'-p', master.config.dirman_password],
raiseonerr=False)
assert_error(result6, "Creation of IPA CS replication agreement is"
" deprecated with managed IPA replication"
" topology", 1)
tasks.create_segment(master, replica1, replica2)
result7 = master.run_command(["ipa-csreplica-manage",
"disconnect",
replica1.hostname,
replica2.hostname,
'-p', master.config.dirman_password],
raiseonerr=False)
assert_error(result7, "Removal of IPA CS replication agreement is"
" deprecated with managed IPA"
" replication topology", 1)
