def enroll_idm_and_configure_external_auth(): """Enroll the Satellite6 Server to an IDM Server.""" run_command( cmd= 'yum -y --disableplugin=foreman-protector install ipa-client ipa-admintools' ) run_command( cmd=f"echo {settings.ipa.password_ipa} | kinit admin", hostname=settings.ipa.hostname_ipa, ) result = run_command( cmd=f"ipa host-add --random {settings.server.hostname}", hostname=settings.ipa.hostname_ipa, ) for line in result: if "Random password" in line: _, password = line.split(': ', 2) break run_command( cmd=f"ipa service-add HTTP/{settings.server.hostname}", hostname=settings.ipa.hostname_ipa, ) _, domain = settings.ipa.hostname_ipa.split('.', 1) run_command(cmd=f"ipa-client-install --password '{password}' " f"--domain {domain} " f"--server {settings.ipa.hostname_ipa} " f"--realm {domain.upper()} -U")
def test_positive_foreman_service_auto_restart(foreman_service_teardown): """Foreman Service should get auto-restarted in case it is halted or stopped for some reason :CaseComponent: Infrastructure :id: 766560b8-30bb-11eb-8dae-d46d6dd3b5b2 :Steps: 1. Stop the Foreman Service 2. Make any API call to Satellite :expectedresults: Foreman Service should get restarted automatically """ run_command('systemctl stop foreman') result = ssh.command('foreman-maintain service status --only=foreman') assert result.return_code == 1 assert 'not running (foreman)' in ''.join(result.stdout) assert entities.Organization().search(query={'search': f'name="{DEFAULT_ORG}"'})[0] run_command('foreman-maintain service status --only=foreman')
def subscribe_satellite(clean_rhsm, default_sat): """subscribe satellite to cdn""" run_command( 'subscription-manager register --force --user={} --password={} {}'. format( settings.subscription.rhn_username, settings.subscription.rhn_password, # set release to "7Server" currently with this scope f'--release="{default_sat.os_version.major}Server"', )) has_success_msg = 'Successfully attached a subscription' attach_cmd = f'subscription-manager attach --pool={settings.subscription.rhn_poolid}' result = run_command(attach_cmd) if has_success_msg in result: run_command(f'subscription-manager repos --enable \ "rhel-{default_sat.os_version.major}-server-extras-rpms"') yield else: pytest.fail("Failed to attach system to pool. Aborting Test!.") unsubscribe()
def configure_hammer_session(self, enable=True): """take backup of the hammer config file and enable use_sessions""" run_command(f"cp {HAMMER_CONFIG} {HAMMER_CONFIG}.backup") run_command(f"sed -i '/:use_sessions.*/d' {HAMMER_CONFIG}") run_command( f"echo ' :use_sessions: {'true' if enable else 'false'}' >> {HAMMER_CONFIG}" )
def enroll_configure_rhsso_external_auth(): """Enroll the Satellite6 Server to an RHSSO Server.""" run_command(cmd='yum -y --disableplugin=foreman-protector install ' 'mod_auth_openidc keycloak-httpd-client-install') run_command( cmd= f'echo {settings.rhsso.password} | keycloak-httpd-client-install --app-name foreman-openidc \ --keycloak-server-url {settings.rhsso.host_url} \ --keycloak-admin-username "admin" \ --keycloak-realm "{settings.rhsso.realm}" \ --keycloak-admin-realm master \ --keycloak-auth-role root-admin -t openidc -l /users/extlogin --force' ) run_command( cmd=f'satellite-installer --foreman-keycloak true ' f"--foreman-keycloak-app-name 'foreman-openidc' " f"--foreman-keycloak-realm '{settings.rhsso.realm}' ", timeout=1000000, ) run_command(cmd="systemctl restart httpd")
def enroll_ad_and_configure_external_auth(request, ad_data): """Enroll Satellite Server to an AD Server.""" auth_type = request.param.lower() ad_data = ad_data('2019') if '2019' in auth_type else ad_data() packages = ('sssd adcli realmd ipa-python-compat krb5-workstation ' 'samba-common-tools gssproxy nfs-utils ipa-client') realm = ad_data.realm workgroup = ad_data.workgroup default_content = f'[global]\nserver = unused\nrealm = {realm}' keytab_content = (f'[global]\nworkgroup = {workgroup}\nrealm = {realm}' f'\nkerberos method = system keytab\nsecurity = ads') # install the required packages run_command( cmd=f'yum -y --disableplugin=foreman-protector install {packages}') # update the AD name server run_command(cmd='chattr -i /etc/resolv.conf') line_number = run_command( cmd= "awk -v search='nameserver' '$0~search{print NR; exit}' /etc/resolv.conf" ) run_command( cmd= f'sed -i "{line_number}i nameserver {ad_data.nameserver}" /etc/resolv.conf' ) run_command(cmd='chattr +i /etc/resolv.conf') # join the realm run_command(cmd=f'echo {settings.ldap.password} | realm join -v {realm}') run_command(cmd='touch /etc/ipa/default.conf') run_command(cmd=f'echo "{default_content}" > /etc/ipa/default.conf') run_command(cmd=f'echo "{keytab_content}" > /etc/net-keytab.conf') # gather the apache id result = run_command(cmd='id -u apache') id_apache = result http_conf_content = ( f'[service/HTTP]\nmechs = krb5\ncred_store = keytab:/etc/krb5.keytab' f'\ncred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U' f'\neuid = {id_apache}') # register the satellite as client for external auth run_command(cmd=f'echo "{http_conf_content}" > /etc/gssproxy/00-http.conf') token_command = ( 'KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP ' '-U administrator -d3 -s /etc/net-keytab.conf') run_command(cmd=f'echo {settings.ldap.password} | {token_command}') run_command(cmd='chown root.apache /etc/httpd/conf/http.keytab') run_command(cmd='chmod 640 /etc/httpd/conf/http.keytab')
def configure_realm(): """Configure realm""" realm = settings.upgrade.vm_domain.upper() run_command(cmd=f'curl -o /root/freeipa.keytab {settings.ipa.keytab_url}') run_command(cmd='mv /root/freeipa.keytab /etc/foreman-proxy') run_command( cmd= 'chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab') run_command( cmd='satellite-installer --foreman-proxy-realm true ' f'--foreman-proxy-realm-principal realm-proxy@{realm} ' f'--foreman-proxy-dhcp-nameservers {socket.gethostbyname(settings.ipa.hostname)}' ) run_command( cmd='cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt') run_command(cmd='update-ca-trust enable ; update-ca-trust') run_command(cmd='service foreman-proxy restart')
def rh_sso_hammer_auth_cleanup(): """restore the hammer config backup file and rhsso client settings""" run_command(f"mv {HAMMER_CONFIG}.backup {HAMMER_CONFIG}") client_config = {"publicClient": "false"} update_client_configuration(client_config)
def test_single_sign_on_ldap_ipa_server(enroll_idm_and_configure_external_auth, ldap_tear_down): """Verify the single sign-on functionality with external authentication :id: 9813a4da-4639-11ea-9780-d46d6dd3b5b2 :setup: Enroll the IDM Configuration for External Authentication :steps: Assert single sign-on session user directed to satellite instead login page :expectedresults: After single sign on user should redirected from /extlogin to /hosts page """ # register the satellite with IPA for single sign-on and update external auth try: run_command(cmd="subscription-manager repos --enable rhel-7-server-optional-rpms") run_command(cmd='satellite-installer --foreman-ipa-authentication=true', timeout=800) run_command('foreman-maintain service restart', timeout=300) result = run_command( cmd="curl -k -u : --negotiate https://{}/users/extlogin/".format( settings.server.hostname ), hostname=settings.ipa.hostname_ipa, ) result = ''.join(result) assert 'redirected' in result assert 'https://{}/hosts'.format(settings.server.hostname) in result assert 'You are being' in result finally: # resetting the settings to default for external auth run_command(cmd='satellite-installer --foreman-ipa-authentication=false', timeout=800) run_command('foreman-maintain service restart', timeout=300) run_command( cmd='ipa service-del HTTP/{}'.format(settings.server.hostname), hostname=settings.ipa.hostname_ipa, ) run_command( cmd='ipa host-del {}'.format(settings.server.hostname), hostname=settings.ipa.hostname_ipa, )
def foreman_service_teardown(): """stop and restart of foreman service""" yield run_command('foreman-maintain service start --only=foreman')
def enroll_ad_and_configure_external_auth(): """Enroll Satellite Server to an AD Server.""" packages = ( 'sssd adcli realmd ipa-python-compat krb5-workstation ' 'samba-common-tools gssproxy nfs-utils ipa-client' ) realm = settings.ldap.realm workgroup = realm.split(".")[0] default_content = f"[global]\nserver = unused\nrealm = {realm}" keytab_content = ( f"[global]\nworkgroup = {workgroup}\nrealm = {realm}" f"\nkerberos method = system keytab\nsecurity = ads" ) # install the required packages run_command(cmd=f'yum -y --disableplugin=foreman-protector install {packages}') # update the AD name server run_command(cmd="chattr -i /etc/resolv.conf") result = run_command( cmd="awk -v search='nameserver' '$0~search{print NR; exit}' /etc/resolv.conf" ) line_number = int(''.join(result)) run_command( cmd=f'sed -i "{line_number}i nameserver {settings.ldap.nameserver}" /etc/resolv.conf' ) run_command(cmd="chattr +i /etc/resolv.conf") # join the realm run_command(cmd=f"echo {settings.ldap.password} | realm join -v {realm}") run_command(cmd="touch /etc/ipa/default.conf") run_command(cmd=f'echo "{default_content}" > /etc/ipa/default.conf') run_command(cmd=f'echo "{keytab_content}" > /etc/net-keytab.conf') # gather the apache id result = run_command(cmd="id -u apache") id_apache = "".join(result) http_conf_content = ( f"[service/HTTP]\nmechs = krb5\ncred_store = keytab:/etc/krb5.keytab" f"\ncred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U" f"\neuid = {id_apache}" ) # register the satellite as client for external auth run_command(cmd=f'echo "{http_conf_content}" > /etc/gssproxy/00-http.conf') token_command = ( "KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP " "-U administrator -d3 -s /etc/net-keytab.conf" ) run_command(cmd=f"echo {settings.ldap.password} | {token_command}") run_command(cmd="chown root.apache /etc/httpd/conf/http.keytab") run_command(cmd="chmod 640 /etc/httpd/conf/http.keytab")
def unsubscribe(): """unregisters a machine from cdn""" run_command('subscription-manager unregister') run_command('subscription-manager clean')
def clean_rhsm(): """removes pre-existing candlepin certs and resets RHSM.""" # removing the katello-ca-consumer run_command('rpm -qa | grep katello-ca-consumer | xargs -r rpm -e')