def __configure_instance(self): self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None) self.__template_file(paths.KRB5_CONF) self.__template_file(paths.HTML_KRB5_INI) self.__template_file(paths.KRB_CON) self.__template_file(paths.HTML_KRBREALM_CON) MIN_KRB5KDC_WITH_WORKERS = "1.9" cpus = os.sysconf('SC_NPROCESSORS_ONLN') workers = False result = ipautil.run([paths.KLIST, '-V'], raiseonerr=False, capture_output=True) if result.returncode == 0: verstr = result.output.split()[-1] ver = tasks.parse_ipa_version(verstr) min = tasks.parse_ipa_version(MIN_KRB5KDC_WITH_WORKERS) if ver >= min: workers = True # Write down config file # We write realm and also number of workers (for multi-CPU systems) replacevars = {'KRB5REALM': self.realm} appendvars = {} if workers and cpus > 1: appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)} ipautil.backup_config_and_replace_variables( self.fstore, paths.SYSCONFIG_KRB5KDC_DIR, replacevars=replacevars, appendvars=appendvars) tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR)
def check_version(): """ :raise UpgradePlatformError: if platform is not the same :raise UpgradeDataOlderVersionError: if data needs to be upgraded :raise UpgradeDataNewerVersionError: older version of IPA was detected than data :raise UpgradeMissingVersionError: if platform or version is missing """ platform = sysupgrade.get_upgrade_state('ipa', 'platform') if platform is not None: if platform != ipaplatform.NAME: raise UpgradePlatformError( "platform mismatch (expected '%s', current '%s')" % ( platform, ipaplatform.NAME) ) else: raise UpgradeMissingVersionError("no platform stored") data_version = sysupgrade.get_upgrade_state('ipa', 'data_version') if data_version is not None: parsed_data_ver = tasks.parse_ipa_version(data_version) parsed_ipa_ver = tasks.parse_ipa_version(version.VENDOR_VERSION) if parsed_data_ver < parsed_ipa_ver: raise UpgradeDataOlderVersionError( "data needs to be upgraded (expected version '%s', current " "version '%s')" % (version.VENDOR_VERSION, data_version) ) elif parsed_data_ver > parsed_ipa_ver: raise UpgradeDataNewerVersionError( "data are in newer version than IPA (data version '%s', IPA " "version '%s')" % (data_version, version.VENDOR_VERSION) ) else: raise UpgradeMissingVersionError("no data_version stored")
def __configure_instance(self): self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None) self.__template_file(paths.KRB5_CONF) self.__template_file(paths.HTML_KRB5_INI) self.__template_file(paths.KRB_CON) self.__template_file(paths.HTML_KRBREALM_CON) MIN_KRB5KDC_WITH_WORKERS = "1.9" cpus = os.sysconf('SC_NPROCESSORS_ONLN') workers = False result = ipautil.run(['klist', '-V'], raiseonerr=False, capture_output=True) if result.returncode == 0: verstr = result.output.split()[-1] ver = tasks.parse_ipa_version(verstr) min = tasks.parse_ipa_version(MIN_KRB5KDC_WITH_WORKERS) if ver >= min: workers = True # Write down config file # We write realm and also number of workers (for multi-CPU systems) replacevars = {'KRB5REALM':self.realm} appendvars = {} if workers and cpus > 1: appendvars = {'KRB5KDC_ARGS': "'-w %s'" % str(cpus)} ipautil.backup_config_and_replace_variables(self.fstore, paths.SYSCONFIG_KRB5KDC_DIR, replacevars=replacevars, appendvars=appendvars) tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR)
def test_ssh_from_controller(self): """https://pagure.io/SSSD/sssd/issue/3979 Test ssh from test controller after adding ldap_deref_threshold=0 to sssd.conf on master Steps: 1. setup a master 2. add ldap_deref_threshold=0 to sssd.conf on master 3. add an ipa user 4. ssh from controller to master using the user created in step 3 """ if self.master.is_fips_mode: # pylint: disable=no-member pytest.skip("paramiko is not compatible with FIPS mode") cmd = self.master.run_command(['sssd', '--version']) sssd_version = platform_tasks.parse_ipa_version( cmd.stdout_text.strip()) if sssd_version < platform_tasks.parse_ipa_version('2.2.0'): pytest.xfail(reason="sssd 2.2.0 unavailable in F29 nightly") username = "******" + str(random.randint(200000, 9999999)) # add ldap_deref_threshold=0 to /etc/sssd/sssd.conf sssd_conf_backup = tasks.FileBackup(self.master, paths.SSSD_CONF) with tasks.remote_sssd_config(self.master) as sssd_config: sssd_config.edit_domain( self.master.domain, 'ldap_deref_threshold', 0) try: self.master.run_command(['systemctl', 'restart', 'sssd.service']) # kinit admin tasks.kinit_admin(self.master) # add ipa user cmd = ['ipa', 'user-add', '--first', username, '--last', username, '--password', username] input_passwd = 'Secret123\nSecret123\n' cmd_output = self.master.run_command(cmd, stdin_text=input_passwd) assert 'Added user "%s"' % username in cmd_output.stdout_text input_passwd = 'Secret123\nSecret123\nSecret123\n' self.master.run_command(['kinit', username], stdin_text=input_passwd) client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(self.master.hostname, username=username, password='******') client.close() finally: sssd_conf_backup.restore() self.master.run_command(['systemctl', 'restart', 'sssd.service'])
def test_versions(self, versions): version_string1, version_string2, expected_comparison = versions ver1 = tasks.parse_ipa_version(version_string1) ver2 = tasks.parse_ipa_version(version_string2) if expected_comparison == "newer": assert ver1 > ver2 elif expected_comparison == "older": assert ver1 < ver2 elif expected_comparison == "equal": assert ver1 == ver2 else: raise TypeError( "Unexpected comparison string: {}".format(expected_comparison))
def test_versions(self, versions): version_string1, version_string2, expected_comparison = versions ver1 = tasks.parse_ipa_version(version_string1) ver2 = tasks.parse_ipa_version(version_string2) if expected_comparison == "newer": assert ver1 > ver2 elif expected_comparison == "older": assert ver1 < ver2 elif expected_comparison == "equal": assert ver1 == ver2 else: raise TypeError( "Unexpected comparison string: {}".format(expected_comparison) )
def test_ext_grp_with_ldap(self): """User and group with same name should not break reading AD user data. Regression test for https://pagure.io/SSSD/sssd/issue/4073 When aduser is added in extrnal group and this group is added in group with same name of nonprivate ipa user and possix id, then lookup of aduser and group should be successful when cache is empty. """ cmd = self.master.run_command(['sssd', '--version']) sssd_version = platform_tasks.parse_ipa_version( cmd.stdout_text.strip()) if sssd_version <= platform_tasks.parse_ipa_version('2.2.2'): pytest.skip("Fix for https://pagure.io/SSSD/sssd/issue/4073 " "unavailable with sssd-2.2.2") client = self.clients[0] user = '******' userid = '100996' ext_group = 'ext-ipatest' tasks.kinit_admin(self.master) # add user with same uid and gidnumber tasks.user_add( self.master, user, extra_args=['--noprivate', '--uid', userid, '--gidnumber', userid]) # add group with same as user_name and user_id. tasks.group_add(self.master, user, extra_args=['--gid', userid]) tasks.group_add(self.master, ext_group, extra_args=['--external']) self.master.run_command( ['ipa', 'group-add-member', '--group', ext_group, user]) self.master.run_command([ 'ipa', '-n', 'group-add-member', '--external', self.users['ad']['name'], ext_group ]) tasks.clear_sssd_cache(self.master) tasks.clear_sssd_cache(client) try: result = client.run_command(['id', self.users['ad']['name']]) assert '{uid}({name})'.format(uid=userid, name=user) in result.stdout_text finally: self.master.run_command(['ipa', 'user-del', user]) self.master.run_command(['ipa', 'group-del', user, ext_group])
def _is_newer_tomcat_version(self, default=None): try: result = ipautil.run([paths.BIN_TOMCAT, "version"], capture_output=True) sn = re.search( r'Server number:\s+([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)', result.output) if sn is None: logger.info( "tomcat version cannot be parsed, " "default to pre-%s", default) return False v = tasks.parse_ipa_version(sn.group(1)) if v >= tasks.parse_ipa_version(default): return True except ipautil.CalledProcessError as e: logger.info( "failed to discover tomcat version, " "default to pre-%s, error: %s", default, str(e)) return False
def test_ipa_version(): v3 = tasks.parse_ipa_version('3.0') assert v3.version == u'3.0' if hasattr(v3, '_rpmvercmp'): assert v3._rpmvercmp_func is None v3._rpmvercmp(b'1', b'2') assert v3._rpmvercmp_func is not None v4 = tasks.parse_ipa_version('4.0') assert v4.version == u'4.0' if hasattr(v4, '_rpmvercmp'): assert v4._rpmvercmp_func is not None assert v3 < v4 assert v3 <= v4 assert v3 <= v3 assert v3 != v4 assert v3 == v3 assert not v3 == v4 assert v4 > v3 assert v4 >= v3
def test_ipa_version(): v3 = tasks.parse_ipa_version('3.0') assert v3.version == u'3.0' if hasattr(v3, '_rpmvercmp'): assert v3._rpmvercmp_func is None v3._rpmvercmp(b'1', b'2') assert v3._rpmvercmp_func is not None v4 = tasks.parse_ipa_version('4.0') assert v4.version == u'4.0' if hasattr(v4, '_rpmvercmp'): assert v4._rpmvercmp_func is not None # pylint: disable=comparison-with-itself assert v3 < v4 assert v3 <= v4 assert v3 <= v3 assert v3 != v4 assert v3 == v3 assert not v3 == v4 assert v4 > v3 assert v4 >= v3
def test_chain_of_trust_delv(self): """ Validate signed DNS records, using our own signed root zone """ INITIAL_KEY_FMT = '%s initial-key %d %d %d "%s";' # delv reports its version on stderr delv_version = self.master.run_command( ["delv", "-v"]).stderr_text.rstrip().replace("delv ", "") assert delv_version delv_version_parsed = platform_tasks.parse_ipa_version(delv_version) if delv_version_parsed < platform_tasks.parse_ipa_version("9.16"): pytest.skip( f"Requires delv >= 9.16(+yaml), installed: '{delv_version}'") # extract DSKEY from root zone ans = resolve_with_dnssec(self.master.ip, root_zone, rtype="DNSKEY") dnskey_rrset = ans.response.get_rrset( ans.response.answer, dns.name.from_text(root_zone), dns.rdataclass.IN, dns.rdatatype.DNSKEY, ) assert dnskey_rrset, "No DNSKEY records received" # export trust keys for root zone initial_keys = [] for key_rdata in dnskey_rrset: if key_rdata.flags != 257: continue # it is not KSK initial_keys.append(INITIAL_KEY_FMT % ( root_zone, key_rdata.flags, key_rdata.protocol, key_rdata.algorithm, base64.b64encode(key_rdata.key).decode("utf-8"), )) assert initial_keys, "No KSK returned from the root zone" trust_anchors = textwrap.dedent("""\ trust-anchors {{ {initial_key} }}; """).format(initial_key="\n".join(initial_keys)) logger.debug("Root zone trust-anchors: %s", trust_anchors) # set trusted anchor for our root zone for host in [self.master, self.replicas[0]]: host.put_file_contents(paths.DNSSEC_TRUSTED_KEY, trust_anchors) # verify signatures args = [ "delv", "+yaml", "+nosplit", "+vtrace", "@127.0.0.1", example_test_zone, "-a", paths.DNSSEC_TRUSTED_KEY, "SOA", ] # delv puts trace info on stderr for host in [self.master, self.replicas[0]]: result = host.run_command(args) yaml_data = yaml.safe_load(result.stdout_text) query_name_abs = dns.name.from_text(example_test_zone) root_zone_name = dns.name.from_text(root_zone) query_name_rel = query_name_abs.relativize( root_zone_name).to_text() assert yaml_data["query_name"] == query_name_rel assert yaml_data["status"] == "success" assert len(yaml_data["records"]) == 1 fully_validated = yaml_data["records"][0]["fully_validated"] fully_validated.sort() assert len(fully_validated) == 2 assert f"{example_test_zone} 1 IN RRSIG SOA" in fully_validated[0] assert f"{example_test_zone} 1 IN SOA" in fully_validated[1]