class TestBackupAndRestore(IntegrationTest): topology = 'star' def test_full_backup_and_restore(self): """backup, uninstall, restore""" with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) assert not self.master.transport.file_exists( paths.IPA_CUSTODIA_KEYS) assert not self.master.transport.file_exists( paths.IPA_CUSTODIA_CONF) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') # check the file permssion and ownership is set to 770 and # dirsrv:dirsrv after restore on /var/log/dirsrv/slapd-<instance> # related ticket : https://pagure.io/freeipa/issue/7725 instance = realm_to_serverid(self.master.domain.realm) log_path = paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % instance cmd = self.master.run_command(['stat', '-c', '"%a %G:%U"', log_path]) assert "770 dirsrv:dirsrv" in cmd.stdout_text def test_full_backup_and_restore_with_removed_users(self): """regression test for https://fedorahosted.org/freeipa/ticket/3866""" with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) logger.info('Backup path for %s is %s', self.master, backup_path) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) homedir = os.path.join(self.master.config.test_dir, 'testuser_homedir') self.master.run_command(['useradd', 'ipatest_user1', '--system', '-d', homedir]) try: dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') finally: self.master.run_command(['userdel', 'ipatest_user1']) @pytest.mark.skipif( not platformtasks.is_selinux_enabled(), reason="Test needs SELinux enabled") def test_full_backup_and_restore_with_selinux_booleans_off(self): """regression test for https://fedorahosted.org/freeipa/ticket/4157""" with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) logger.info('Backup path for %s is %s', self.master, backup_path) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) self.master.run_command([ 'setsebool', '-P', 'httpd_can_network_connect=off', 'httpd_manage_ipa=off', ]) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') result = self.master.run_command([ 'getsebool', 'httpd_can_network_connect', 'httpd_manage_ipa', ]) assert 'httpd_can_network_connect --> on' in result.stdout_text assert 'httpd_manage_ipa --> on' in result.stdout_text
class TestInstallMaster(IntegrationTest): num_replicas = 0 @classmethod def install(cls, mh): pass def test_install_master(self): tasks.install_master(self.master, setup_dns=False) def test_install_kra(self): tasks.install_kra(self.master, first_instance=True) def test_install_dns(self): tasks.install_dns( self.master, extra_args=['--dnssec-master', '--no-dnssec-validation']) def test_WSGI_worker_process(self): """ Test if WSGI worker process count is set to 4 related ticket : https://pagure.io/freeipa/issue/7587 """ # check process count in httpd conf file i.e expected string exp = b'WSGIDaemonProcess ipa processes=%d' % constants.WSGI_PROCESSES httpd_conf = self.master.get_file_contents(paths.HTTPD_IPA_CONF) assert exp in httpd_conf # check the process count cmd = self.master.run_command('ps -eF') wsgi_count = cmd.stdout_text.count('wsgi:ipa') assert constants.WSGI_PROCESSES == wsgi_count def test_error_for_yubikey(self): """ Test error when yubikey hardware not present In order to work with IPA and Yubikey, libyubikey is required. Before the fix, if yubikey added without having packages, it used to result in traceback. Now it the exception is handeled properly. It needs Yubikey hardware to make command successfull. This test just check of proper error thrown when hardware is not attached. related ticket : https://pagure.io/freeipa/issue/6979 """ # try to add yubikey to the user args = ['ipa', 'otptoken-add-yubikey', '--owner=admin'] cmd = self.master.run_command(args, raiseonerr=False) assert cmd.returncode != 0 exp_str = ("ipa: ERROR: No YubiKey found") assert exp_str in cmd.stderr_text def test_pki_certs(self): certs, keys = tasks.certutil_certs_keys( self.master, paths.PKI_TOMCAT_ALIAS_DIR, paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT) expected_certs = { # CA 'caSigningCert cert-pki-ca': 'CTu,Cu,Cu', 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', # why P? # KRA 'transportCert cert-pki-kra': 'u,u,u', 'storageCert cert-pki-kra': 'u,u,u', 'auditSigningCert cert-pki-kra': 'u,u,Pu', # server 'Server-Cert cert-pki-ca': 'u,u,u', } assert certs == expected_certs assert len(certs) == len(keys) for nickname in sorted(certs): cert = tasks.certutil_fetch_cert( self.master, paths.PKI_TOMCAT_ALIAS_DIR, paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, nickname) key_size = cert.public_key().key_size if nickname == 'caSigningCert cert-pki-ca': assert key_size == 3072 else: assert key_size == 2048 assert cert.signature_hash_algorithm.name == hashes.SHA256.name def test_p11_kit_softhsm2(self): # check that p11-kit-proxy does not inject SoftHSM2 result = self.master.run_command( ["modutil", "-dbdir", paths.PKI_TOMCAT_ALIAS_DIR, "-list"]) assert "softhsm" not in result.stdout_text.lower() assert "opendnssec" not in result.stdout_text.lower() @pytest.mark.skipif(not platformtasks.is_selinux_enabled(), reason="Test needs SELinux enabled") def test_selinux_avcs(self): # Use journalctl instead of ausearch. The ausearch command is not # installed by default and journalctl gives us all AVCs. result = self.master.run_command( ["journalctl", "--full", "--grep=AVC", "--since=yesterday"]) avcs = list(line.strip() for line in result.stdout_text.split('\n') if "AVC avc:" in line) if avcs: print('\n'.join(avcs)) # Use expected failure until all SELinux violations are fixed pytest.xfail("{} AVCs found".format(len(avcs)))
class TestBackupAndRestore(IntegrationTest): topology = 'star' def test_full_backup_and_restore(self): """backup, uninstall, restore""" with restore_checker(self.master): backup_path = backup(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) assert not self.master.transport.file_exists( paths.IPA_CUSTODIA_KEYS) assert not self.master.transport.file_exists( paths.IPA_CUSTODIA_CONF) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') def test_full_backup_and_restore_with_removed_users(self): """regression test for https://fedorahosted.org/freeipa/ticket/3866""" with restore_checker(self.master): backup_path = backup(self.master) logger.info('Backup path for %s is %s', self.master, backup_path) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) homedir = os.path.join(self.master.config.test_dir, 'testuser_homedir') self.master.run_command(['useradd', 'ipatest_user1', '--system', '-d', homedir]) try: dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') finally: self.master.run_command(['userdel', 'ipatest_user1']) @pytest.mark.skipif( not platformtasks.is_selinux_enabled(), reason="Test needs SELinux enabled") def test_full_backup_and_restore_with_selinux_booleans_off(self): """regression test for https://fedorahosted.org/freeipa/ticket/4157""" with restore_checker(self.master): backup_path = backup(self.master) logger.info('Backup path for %s is %s', self.master, backup_path) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) self.master.run_command([ 'setsebool', '-P', 'httpd_can_network_connect=off', 'httpd_manage_ipa=off', ]) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') result = self.master.run_command([ 'getsebool', 'httpd_can_network_connect', 'httpd_manage_ipa', ]) assert 'httpd_can_network_connect --> on' in result.stdout_text assert 'httpd_manage_ipa --> on' in result.stdout_text
class TestInstallMaster(IntegrationTest): num_replicas = 0 @classmethod def install(cls, mh): pass def test_install_master(self): tasks.install_master(self.master, setup_dns=False) def test_schema_compat_attribute_and_tree_disable(self): """Test if schema-compat-entry-attribute is set This is to ensure if said entry is set after installation. It also checks if compat tree is disable. related: https://pagure.io/freeipa/issue/8193 """ conn = self.master.ldap_connect() entry = conn.get_entry(DN( # pylint: disable=no-member "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config")) entry_list = list(entry['schema-compat-entry-attribute']) value = (r'ipaexternalmember=%deref_r(' '"member","ipaexternalmember")') assert value in entry_list assert 'schema-compat-lookup-nsswitch' not in entry_list def test_install_kra(self): tasks.install_kra(self.master, first_instance=True) def test_install_dns(self): tasks.install_dns( self.master, extra_args=['--dnssec-master', '--no-dnssec-validation'] ) def test_ipactl_restart_pki_tomcat(self): """ Test if ipactl restart restarts the pki-tomcatd Wrong logic was triggering the start instead of restart for pki-tomcatd. This test validates that restart called on pki-tomcat properly. related ticket : https://pagure.io/freeipa/issue/7927 """ # get process id of pki-tomcatd pki_pid = get_pki_tomcatd_pid(self.master) # check if pki-tomcad restarted cmd = self.master.run_command(['ipactl', 'restart']) assert "Restarting pki-tomcatd Service" in cmd.stdout_text # check if pid for pki-tomcad changed pki_pid_after_restart = get_pki_tomcatd_pid(self.master) assert pki_pid != pki_pid_after_restart # check if pki-tomcad restarted cmd = self.master.run_command(['ipactl', 'restart']) assert "Restarting pki-tomcatd Service" in cmd.stdout_text # check if pid for pki-tomcad changed pki_pid_after_restart_2 = get_pki_tomcatd_pid(self.master) assert pki_pid_after_restart != pki_pid_after_restart_2 def test_ipactl_scenario_check(self): """ Test if ipactl starts services stopped by systemctl This will first check if all services are running then it will stop few service. After that it will restart all services and then check the status and pid of services.It will also compare pid after ipactl start and restart in case of start it will remain unchanged on the other hand in case of restart it will change. """ # listing all services ipa_services_name = [ "Directory", "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia", "pki-tomcatd", "ipa-otpd", "ipa-dnskeysyncd" ] # checking the service status cmd = self.master.run_command(['ipactl', 'status']) for service in ipa_services_name: assert f"{service} Service: RUNNING" in cmd.stdout_text # stopping few services service_stop = ["krb5kdc", "kadmin", "httpd"] for service in service_stop: service_name = services.knownservices[service].systemd_name self.master.run_command(['systemctl', 'stop', service_name]) # checking service status service_start = [ svcs for svcs in ipa_services_name if svcs not in service_stop ] cmd = self.master.run_command(['ipactl', 'status']) for service in service_start: assert f"{service} Service: RUNNING" in cmd.stdout_text for service in service_stop: assert f'{service} Service: STOPPED' in cmd.stdout_text # starting all services again self.master.run_command(['ipactl', 'start']) # checking service status cmd = self.master.run_command(['ipactl', 'status']) for service in ipa_services_name: assert f"{service} Service: RUNNING" in cmd.stdout_text # get process id of services ipa_services_pids = get_ipa_services_pids(self.master) # restarting all services again self.master.run_command(['ipactl', 'restart']) # checking service status cmd = self.master.run_command(['ipactl', 'status']) for service in ipa_services_name: assert f"{service} Service: RUNNING" in cmd.stdout_text # check if pid for services are different svcs_pids_after_restart = get_ipa_services_pids(self.master) assert ipa_services_pids != svcs_pids_after_restart # starting all services again self.master.run_command(['ipactl', 'start']) # checking service status cmd = self.master.run_command(['ipactl', 'status']) for service in ipa_services_name: assert f"{service} Service: RUNNING" in cmd.stdout_text # check if pid for services are same svcs_pids_after_start = get_ipa_services_pids(self.master) assert svcs_pids_after_restart == svcs_pids_after_start def test_WSGI_worker_process(self): """ Test if WSGI worker process count is set to 4 related ticket : https://pagure.io/freeipa/issue/7587 """ # check process count in httpd conf file i.e expected string exp = b'WSGIDaemonProcess ipa processes=%d' % constants.WSGI_PROCESSES httpd_conf = self.master.get_file_contents(paths.HTTPD_IPA_CONF) assert exp in httpd_conf # check the process count cmd = self.master.run_command('ps -eF') wsgi_count = cmd.stdout_text.count('wsgi:ipa') assert constants.WSGI_PROCESSES == wsgi_count def test_error_for_yubikey(self): """ Test error when yubikey hardware not present In order to work with IPA and Yubikey, libyubikey is required. Before the fix, if yubikey added without having packages, it used to result in traceback. Now it the exception is handeled properly. It needs Yubikey hardware to make command successfull. This test just check of proper error thrown when hardware is not attached. related ticket : https://pagure.io/freeipa/issue/6979 """ # try to add yubikey to the user args = ['ipa', 'otptoken-add-yubikey', '--owner=admin'] cmd = self.master.run_command(args, raiseonerr=False) assert cmd.returncode != 0 exp_str = ("ipa: ERROR: No YubiKey found") assert exp_str in cmd.stderr_text def test_pki_certs(self): certs, keys = tasks.certutil_certs_keys( self.master, paths.PKI_TOMCAT_ALIAS_DIR, paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT ) expected_certs = { # CA 'caSigningCert cert-pki-ca': 'CTu,Cu,Cu', 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', # why P? # KRA 'transportCert cert-pki-kra': 'u,u,u', 'storageCert cert-pki-kra': 'u,u,u', 'auditSigningCert cert-pki-kra': 'u,u,Pu', # server 'Server-Cert cert-pki-ca': 'u,u,u', } assert certs == expected_certs assert len(certs) == len(keys) for nickname in sorted(certs): cert = tasks.certutil_fetch_cert( self.master, paths.PKI_TOMCAT_ALIAS_DIR, paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, nickname ) key_size = cert.public_key().key_size if nickname == 'caSigningCert cert-pki-ca': assert key_size == 3072 else: assert key_size == 2048 assert cert.signature_hash_algorithm.name == hashes.SHA256.name def test_http_cert(self): """ Test that HTTP certificate contains ipa-ca.$DOMAIN DNS name. """ data = self.master.get_file_contents(paths.HTTPD_CERT_FILE) cert = x509.load_pem_x509_certificate(data) name = f'ipa-ca.{self.master.domain.name}' assert crypto_x509.DNSName(name) in cert.san_general_names def test_p11_kit_softhsm2(self): # check that p11-kit-proxy does not inject SoftHSM2 result = self.master.run_command([ "modutil", "-dbdir", paths.PKI_TOMCAT_ALIAS_DIR, "-list" ]) assert "softhsm" not in result.stdout_text.lower() assert "opendnssec" not in result.stdout_text.lower() @pytest.mark.skipif( not platformtasks.is_selinux_enabled(), reason="Test needs SELinux enabled") def test_selinux_avcs(self): # Use journalctl instead of ausearch. The ausearch command is not # installed by default and journalctl gives us all AVCs. result = self.master.run_command([ "journalctl", "--full", "--grep=AVC", "--since=yesterday" ]) avcs = list( line.strip() for line in result.stdout_text.split('\n') if "AVC avc:" in line ) if avcs: print('\n'.join(avcs)) # Use expected failure until all SELinux violations are fixed pytest.xfail("{} AVCs found".format(len(avcs))) def test_file_permissions(self): args = [ "rpm", "-V", "python3-ipaclient", "python3-ipalib", "python3-ipaserver" ] if osinfo.id == 'fedora': args.extend([ "freeipa-client", "freeipa-client-common", "freeipa-common", "freeipa-server", "freeipa-server-common", "freeipa-server-dns", "freeipa-server-trust-ad" ]) else: args.extend([ "ipa-client", "ipa-client-common", "ipa-common", "ipa-server", "ipa-server-common", "ipa-server-dns" ]) result = self.master.run_command(args, raiseonerr=False) if result.returncode != 0: # Check the mode errors mode_warnings = re.findall( r"^.M....... [cdglr ]+ (?P<filename>.*)$", result.stdout_text, re.MULTILINE) msg = "rpm -V found mode issues for the following files: {}" assert mode_warnings == [], msg.format(mode_warnings) # Check the owner errors user_warnings = re.findall( r"^.....U... [cdglr ]+ (?P<filename>.*)$", result.stdout_text, re.MULTILINE) msg = "rpm -V found ownership issues for the following files: {}" assert user_warnings == [], msg.format(user_warnings) # Check the group errors group_warnings = re.findall( r"^......G.. [cdglr ]+ (?P<filename>.*)$", result.stdout_text, re.MULTILINE) msg = "rpm -V found group issues for the following files: {}" assert group_warnings == [], msg.format(group_warnings) def test_ds_disable_upgrade_hash(self): # Test case for https://pagure.io/freeipa/issue/8315 # Disable password schema migration on LDAP bind result = tasks.ldapsearch_dm( self.master, "cn=config", ldap_args=["nsslapd-enable-upgrade-hash"], scope="base" ) assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text def test_admin_root_alias_CVE_2020_10747(self): # Test for CVE-2020-10747 fix # https://bugzilla.redhat.com/show_bug.cgi?id=1810160 rootprinc = "root@{}".format(self.master.domain.realm) result = self.master.run_command(["ipa", "user-show", "admin"]) assert rootprinc in result.stdout_text result = self.master.run_command( ["ipa", "user-add", "root", "--first", "root", "--last", "root"], raiseonerr=False ) assert result.returncode != 0 assert 'user with name "root" already exists' in result.stderr_text
class TestInstallMaster(IntegrationTest): num_replicas = 0 @classmethod def install(cls, mh): pass def test_install_master(self): tasks.install_master(self.master, setup_dns=False) def test_install_kra(self): tasks.install_kra(self.master, first_instance=True) def test_install_dns(self): tasks.install_dns( self.master, extra_args=['--dnssec-master', '--no-dnssec-validation']) def test_ipactl_restart_pki_tomcat(self): """ Test if ipactl restart restarts the pki-tomcatd Wrong logic was triggering the start instead of restart for pki-tomcatd. This test validates that restart called on pki-tomcat properly. related ticket : https://pagure.io/freeipa/issue/7927 """ # get process id of pki-tomcatd pki_pid = get_pki_tomcatd_pid(self.master) # check if pki-tomcad restarted cmd = self.master.run_command(['ipactl', 'restart']) assert "Restarting pki-tomcatd Service" in cmd.stdout_text # check if pid for pki-tomcad changed pki_pid_after_restart = get_pki_tomcatd_pid(self.master) assert pki_pid != pki_pid_after_restart # check if pki-tomcad restarted cmd = self.master.run_command(['ipactl', 'restart']) assert "Restarting pki-tomcatd Service" in cmd.stdout_text # check if pid for pki-tomcad changed pki_pid_after_restart_2 = get_pki_tomcatd_pid(self.master) assert pki_pid_after_restart != pki_pid_after_restart_2 def test_ipactl_scenario_check(self): """ Test if ipactl starts services stopped by systemctl This will first check if all services are running then it will stop few service. After that it will restart all services and then check the status and pid of services.It will also compare pid after ipactl start and restart in case of start it will remain unchanged on the other hand in case of restart it will change. """ # listing all services services = [ "Directory", "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia", "pki-tomcatd", "ipa-otpd", "ipa-dnskeysyncd" ] # checking the service status cmd = self.master.run_command(['ipactl', 'status']) for service in services: assert f"{service} Service: RUNNING" in cmd.stdout_text # stopping few services service_stop = ["krb5kdc", "kadmin", "httpd"] for service in service_stop: self.master.run_command(['systemctl', 'stop', service]) # checking service status service_start = [svcs for svcs in services if svcs not in service_stop] cmd = self.master.run_command(['ipactl', 'status']) for service in service_start: assert f"{service} Service: RUNNING" in cmd.stdout_text for service in service_stop: assert f'{service} Service: STOPPED' in cmd.stdout_text # starting all services again self.master.run_command(['ipactl', 'start']) # checking service status cmd = self.master.run_command(['ipactl', 'status']) for service in services: assert f"{service} Service: RUNNING" in cmd.stdout_text # get process id of services ipa_services_pids = get_ipa_services_pids(self.master) # restarting all services again self.master.run_command(['ipactl', 'restart']) # checking service status cmd = self.master.run_command(['ipactl', 'status']) for service in services: assert f"{service} Service: RUNNING" in cmd.stdout_text # check if pid for services are different svcs_pids_after_restart = get_ipa_services_pids(self.master) assert ipa_services_pids != svcs_pids_after_restart # starting all services again self.master.run_command(['ipactl', 'start']) # checking service status cmd = self.master.run_command(['ipactl', 'status']) for service in services: assert f"{service} Service: RUNNING" in cmd.stdout_text # check if pid for services are same svcs_pids_after_start = get_ipa_services_pids(self.master) assert svcs_pids_after_restart == svcs_pids_after_start def test_WSGI_worker_process(self): """ Test if WSGI worker process count is set to 4 related ticket : https://pagure.io/freeipa/issue/7587 """ # check process count in httpd conf file i.e expected string exp = b'WSGIDaemonProcess ipa processes=%d' % constants.WSGI_PROCESSES httpd_conf = self.master.get_file_contents(paths.HTTPD_IPA_CONF) assert exp in httpd_conf # check the process count cmd = self.master.run_command('ps -eF') wsgi_count = cmd.stdout_text.count('wsgi:ipa') assert constants.WSGI_PROCESSES == wsgi_count def test_error_for_yubikey(self): """ Test error when yubikey hardware not present In order to work with IPA and Yubikey, libyubikey is required. Before the fix, if yubikey added without having packages, it used to result in traceback. Now it the exception is handeled properly. It needs Yubikey hardware to make command successfull. This test just check of proper error thrown when hardware is not attached. related ticket : https://pagure.io/freeipa/issue/6979 """ # try to add yubikey to the user args = ['ipa', 'otptoken-add-yubikey', '--owner=admin'] cmd = self.master.run_command(args, raiseonerr=False) assert cmd.returncode != 0 exp_str = ("ipa: ERROR: No YubiKey found") assert exp_str in cmd.stderr_text def test_pki_certs(self): certs, keys = tasks.certutil_certs_keys( self.master, paths.PKI_TOMCAT_ALIAS_DIR, paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT) expected_certs = { # CA 'caSigningCert cert-pki-ca': 'CTu,Cu,Cu', 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', # why P? # KRA 'transportCert cert-pki-kra': 'u,u,u', 'storageCert cert-pki-kra': 'u,u,u', 'auditSigningCert cert-pki-kra': 'u,u,Pu', # server 'Server-Cert cert-pki-ca': 'u,u,u', } assert certs == expected_certs assert len(certs) == len(keys) for nickname in sorted(certs): cert = tasks.certutil_fetch_cert( self.master, paths.PKI_TOMCAT_ALIAS_DIR, paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, nickname) key_size = cert.public_key().key_size if nickname == 'caSigningCert cert-pki-ca': assert key_size == 3072 else: assert key_size == 2048 assert cert.signature_hash_algorithm.name == hashes.SHA256.name def test_p11_kit_softhsm2(self): # check that p11-kit-proxy does not inject SoftHSM2 result = self.master.run_command( ["modutil", "-dbdir", paths.PKI_TOMCAT_ALIAS_DIR, "-list"]) assert "softhsm" not in result.stdout_text.lower() assert "opendnssec" not in result.stdout_text.lower() @pytest.mark.skipif(not platformtasks.is_selinux_enabled(), reason="Test needs SELinux enabled") def test_selinux_avcs(self): # Use journalctl instead of ausearch. The ausearch command is not # installed by default and journalctl gives us all AVCs. result = self.master.run_command( ["journalctl", "--full", "--grep=AVC", "--since=yesterday"]) avcs = list(line.strip() for line in result.stdout_text.split('\n') if "AVC avc:" in line) if avcs: print('\n'.join(avcs)) # Use expected failure until all SELinux violations are fixed pytest.xfail("{} AVCs found".format(len(avcs))) def test_file_permissions(self): args = [ "rpm", "-V", "python3-ipaclient", "python3-ipalib", "python3-ipaserver" ] if osinfo.id == 'fedora': args.extend([ "freeipa-client", "freeipa-client-common", "freeipa-common", "freeipa-server", "freeipa-server-common", "freeipa-server-dns", "freeipa-server-trust-ad" ]) else: args.extend([ "ipa-client", "ipa-client-common", "ipa-common", "ipa-server", "ipa-server-common", "ipa-server-dns" ]) result = self.master.run_command(args, raiseonerr=False) if result.returncode != 0: # Check the mode errors mode_warnings = re.findall( r"^.M....... [cdglr ]+ (?P<filename>.*)$", result.stdout_text, re.MULTILINE) msg = "rpm -V found mode issues for the following files: {}" assert mode_warnings == [], msg.format(mode_warnings) # Check the owner errors user_warnings = re.findall( r"^.....U... [cdglr ]+ (?P<filename>.*)$", result.stdout_text, re.MULTILINE) msg = "rpm -V found ownership issues for the following files: {}" assert user_warnings == [], msg.format(user_warnings) # Check the group errors group_warnings = re.findall( r"^......G.. [cdglr ]+ (?P<filename>.*)$", result.stdout_text, re.MULTILINE) msg = "rpm -V found group issues for the following files: {}" assert group_warnings == [], msg.format(group_warnings)
class TestUserPermissions(IntegrationTest): topology = 'star' altadmin = "altadmin" @classmethod def install(cls, mh): super(TestUserPermissions, cls).install(mh) tasks.kinit_admin(cls.master) # Create a new user altadmin password_confirmation = "%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password) cls.master.run_command([ 'ipa', 'user-add', cls.altadmin, '--first', cls.altadmin, '--last', cls.altadmin, '--password' ], stdin_text=password_confirmation) # Add altadmin to the group cn=admins cls.master.run_command( ['ipa', 'group-add-member', 'admins', '--users', cls.altadmin]) # kinit as altadmin to initialize the password altadmin_kinit = "%s\n%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password, cls.master.config.admin_password) cls.master.run_command(['kinit', cls.altadmin], stdin_text=altadmin_kinit) cls.master.run_command(['kdestroy', '-A']) def test_delete_preserve_as_alternate_admin(self): """ Test that a user member of admins group can call delete --preserve. This is a test case for issue 7342 """ # kinit admin tasks.kinit_admin(self.master) # Create a new user 'testuser' with a password testuser = '******' password = '******' testuser_password_confirmation = "%s\n%s\n" % (password, password) self.master.run_command([ 'ipa', 'user-add', testuser, '--first', testuser, '--last', testuser, '--password' ], stdin_text=testuser_password_confirmation) # kinit as altadmin self.master.run_command(['kinit', self.altadmin], stdin_text=self.master.config.admin_password) # call ipa user-del --preserve self.master.run_command(['ipa', 'user-del', '--preserve', testuser]) @pytest.mark.skipif(not platformtasks.is_selinux_enabled(), reason="Test needs SELinux enabled") @pytest.mark.xfail(osinfo.id == 'fedora' and osinfo.version_number <= (28, ), reason='sssd ticket 3819', strict=True) def test_selinux_user_optimized(self): """ Check that SELinux login context is set on first login for the user, even if the user is not mapped to a specific SELinux user. Related ticket https://pagure.io/SSSD/sssd/issue/3819. """ if self.master.is_fips_mode: # pylint: disable=no-member pytest.skip("paramiko is not compatible with FIPS mode") # Scenario: add an IPA user with non-default home dir, login through # ssh as this user and check that there is a SELinux user mapping # for the user with `semanage login -l`. # kinit admin tasks.kinit_admin(self.master) testuser = '******' password = '******' testuser_password_confirmation = "%s\n%s\n" % (password, password) self.master.run_command([ 'ipa', 'user-add', testuser, '--first', testuser, '--last', testuser, '--password', '--homedir', '/root/{}'.format(testuser) ], stdin_text=testuser_password_confirmation) # login to the system client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(self.master.hostname, username=testuser, password=password) client.close() # check if user listed in output cmd = self.master.run_command(['semanage', 'login', '-l']) assert testuser in cmd.stdout_text # call ipa user-del self.master.run_command(['ipa', 'user-del', testuser]) def test_stageuser_show_as_alternate_admin(self): """ Test that a user member of admins group can call stageuser-show and read the 'Kerberos Keys available' information. This is a test case for issue 7342 """ # kinit admin tasks.kinit_admin(self.master) # Create a new stage user 'stageuser' with a password stageuser = '******' password = '******' stageuser_password_confirmation = "%s\n%s\n" % (password, password) self.master.run_command([ 'ipa', 'stageuser-add', stageuser, '--first', stageuser, '--last', stageuser, '--password' ], stdin_text=stageuser_password_confirmation) # kinit as altadmin self.master.run_command(['kinit', self.altadmin], stdin_text=self.master.config.admin_password) # call ipa stageuser-show # the field Kerberos Keys available must contain True result = self.master.run_command(['ipa', 'stageuser-show', stageuser]) assert 'Kerberos keys available: True' in result.stdout_text def test_user_add_withradius(self): """ Test that a user with User Administrator role can call ipa user-add --radius myradius to create a user with an assigned Radius Proxy Server. This is a test case for issue 7570 """ # kinit admin tasks.kinit_admin(self.master) # Create a radius proxy server radiusproxy = 'myradius' secret = 'Secret123' radius_secret_confirmation = "%s\n%s\n" % (secret, secret) self.master.run_command([ 'ipa', 'radiusproxy-add', radiusproxy, '--server', 'radius.example.com', '--secret' ], stdin_text=radius_secret_confirmation) # Create a user with 'User Administrator' role altuser = '******' password = '******' password_confirmation = "%s\n%s\n" % (password, password) self.master.run_command([ 'ipa', 'user-add', altuser, '--first', altuser, '--last', altuser, '--password' ], stdin_text=password_confirmation) self.master.run_command([ 'ipa', 'role-add-member', "User Administrator", '--user', altuser ]) # kinit as altuser to initialize the password altuser_kinit = "%s\n%s\n%s\n" % (password, password, password) self.master.run_command(['kinit', altuser], stdin_text=altuser_kinit) # call ipa user-add with --radius=... # this call requires read access to radius proxy servers self.master.run_command([ 'ipa', 'user-add', '--first', 'test', '--last', 'test', '--user-auth-type', 'radius', '--radius-username', 'testradius', 'testradius', '--radius', radiusproxy ])