def install(cls, mh): # External DNS is only available before install so cache a copy # of the *ipa-epn-client package so we can experimentally remove # it later. # # Notes: # - A package can't be downloaded that is already installed so we # have to remove it first. # - dnf cleans up previously downloaded locations so make a copy it # doesn't know about. # - Adds a class variable, pkg, containing the package name of # the downloaded *ipa-client-epn rpm. hosts = [cls.master, cls.clients[0]] tasks.uninstall_packages(cls.clients[0], EPN_PKG) pkgdir = tasks.download_packages(cls.clients[0], EPN_PKG) pkg = cls.clients[0].run_command(r'ls -1 {}'.format(pkgdir)) cls.pkg = pkg.stdout_text.strip() cls.clients[0].run_command( ['cp', os.path.join(pkgdir, cls.pkg), '/tmp']) cls.clients[0].run_command(r'rm -rf {}'.format(pkgdir)) for host in hosts: tasks.install_packages(host, EPN_PKG + ["postfix"]) try: tasks.install_packages(host, ["cyrus-sasl"]) except Exception: # the package is likely already installed pass tasks.install_master(cls.master, setup_dns=True) tasks.install_client(cls.master, cls.clients[0]) for host in hosts: configure_postfix(host, cls.master.domain.realm) Firewall(host).enable_services(["smtp", "smtps"])
def test_install_with_host_auth_ind_set(self): """ A client shouldn't be able to be promoted if it has any auth indicator set in the host principal. https://pagure.io/freeipa/issue/8206 """ client = self.replicas[0] # Configure firewall first Firewall(client).enable_services(["freeipa-ldap", "freeipa-ldaps"]) client.run_command([ 'ipa-client-install', '-U', '--domain', self.master.domain.name, '--realm', self.master.domain.realm, '-p', 'admin', '-w', self.master.config.admin_password, '--server', self.master.hostname, '--force-join' ]) tasks.kinit_admin(client) client.run_command( ['ipa', 'host-mod', '--auth-ind=otp', client.hostname]) res = client.run_command([ 'ipa-replica-install', '-U', '-w', self.master.config.dirman_password ], raiseonerr=False) client.run_command(['ipa', 'host-mod', '--auth-ind=', client.hostname]) expected_err = ("Client cannot be promoted to a replica if the host " "principal has an authentication indicator set.") assert res.returncode == 1 assert expected_err in res.stderr_text
def test_replica_promotion_after_adding_to_admin_group(self): self.master.run_command(['ipa', 'group-add-member', 'admins', '--users=%s' % self.username]) # Configure firewall first Firewall(self.replicas[0]).enable_services(["freeipa-ldap", "freeipa-ldaps"]) self.replicas[0].run_command(['ipa-replica-install', '-P', self.username, '-p', self.new_password, '-n', self.master.domain.name, '-r', self.master.domain.realm, '-U'])
def test_replica_promotion_by_unprivileged_user(self): replica = self.replicas[0] tasks.install_client(self.master, replica) # Configure firewall first Firewall(replica).enable_services(["freeipa-ldap", "freeipa-ldaps"]) result2 = replica.run_command([ 'ipa-replica-install', '-P', self.username, '-p', self.new_password, '-n', self.master.domain.name, '-r', self.master.domain.realm ], raiseonerr=False) assert_error(result2, "Insufficient privileges to promote the server", 1)
def test_install_dns_on_replica1_and_dnssec_on_master(self): """ install DNS server on replica and DNSSec on master """ tasks.install_dns(self.replicas[0]) args = [ "ipa-dns-install", "--dnssec-master", "--forwarder", self.master.config.dns_forwarder, "-U", ] self.master.run_command(args) Firewall(self.master).enable_service("dns")
def install(cls, mh): super(TestHttpKdcProxy, cls).install(mh) # Block access from client to master's port 88 Firewall(cls.clients[0]).prepend_passthrough_rules(cls.fw_rules) # configure client cls.clients[0].run_command( r"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (cls.master.hostname, paths.KRB5_CONF)) cls.clients[0].run_command(r"sed -i 's/master_kdc = .*$/master_kdc" r" = https:\/\/%s\/KdcProxy/' %s" % (cls.master.hostname, paths.KRB5_CONF)) # Workaround for https://fedorahosted.org/freeipa/ticket/6443 cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])
def test_replica_uninstallation_prohibited(self): """ http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan #Test_case:_Prohibit_ipa_server_uninstallation_from_disconnecting _topology_segment """ result = self.replicas[0].run_command(['ipa-server-install', '--uninstall', '-U'], raiseonerr=False) assert_error(result, "Removal of '%s' leads to disconnected" " topology" % self.replicas[0].hostname, 1) self.replicas[0].run_command(['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect']) Firewall(self.replicas[0]).disable_services(["freeipa-ldap", "freeipa-ldaps"])
def test_one_command_installation(self): """ TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan #Test_case:_Replica_can_be_installed_using_one_command """ self.replicas[0].run_command([ 'ipa-replica-install', '-w', self.master.config.admin_password, '-n', self.master.domain.name, '-r', self.master.domain.realm, '--server', self.master.hostname, '-U' ]) Firewall(self.replicas[0]).enable_services( ["freeipa-ldap", "freeipa-ldaps"]) # Ensure that pkinit is properly configured, test for 7566 result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status']) assert "PKINIT is enabled" in result.stdout_text
def test_one_step_install_pwd_and_admin_pwd(self): """--password and --admin-password options are mutually exclusive Test for ticket 6353 """ expected_err = "--password and --admin-password options are " \ "mutually exclusive" result = self.replicas[0].run_command([ 'ipa-replica-install', '-w', self.master.config.admin_password, '-p', 'OTPpwd', '-n', self.master.domain.name, '-r', self.master.domain.realm, '--server', self.master.hostname, '-U' ], raiseonerr=False) assert result.returncode == 1 assert expected_err in result.stderr_text Firewall(self.replicas[0]).enable_services( ["freeipa-ldap", "freeipa-ldaps"])
def test_upcase_client_domain(self): client = self.replicas[0] result = client.run_command(['ipa-client-install', '-U', '--domain', self.master.domain.name.upper(), '-w', self.master.config.admin_password, '-p', 'admin', '--server', self.master.hostname, '--force-join'], raiseonerr=False) assert(result.returncode == 0), ( 'Failed to setup client with the upcase domain name') # Configure firewall first Firewall(self.replicas[0]).enable_services(["freeipa-ldap", "freeipa-ldaps"]) result1 = client.run_command(['ipa-replica-install', '-U', '-w', self.master.config.dirman_password], raiseonerr=False) assert(result1.returncode == 0), ( 'Failed to promote the client installed with the upcase domain name')
def install(cls, mh): tasks.install_master(cls.master, setup_dns=False) args = [ "ipa-dns-install", "--dnssec-master", "--forwarder", cls.master.config.dns_forwarder, "-U", ] cls.master.run_command(args) # Enable dns service on master as it has been installed without dns # support before Firewall(cls.master).enable_services(["dns"]) tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True) # backup trusted key tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY) tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
def test_replica_install_in_forward_zone(self): master = self.master replica = self.replicas[0] # Create a forward zone on the master master.run_command(['ipa', 'dnsforwardzone-add', self.forwardzone, '--skip-overlap-check', '--forwarder', master.config.dns_forwarder]) # Configure the client with a name in the forwardzone r_shortname = replica.hostname.split(".", 1)[0] r_new_hostname = '{}.{}'.format(r_shortname, self.forwardzone) # Update /etc/hosts on the master with an entry for the replica # otherwise replica conncheck would fail update_etc_hosts(master, replica.ip, replica.hostname, r_new_hostname) # Remove the replica previous hostname from /etc/hosts # and add the replica new hostname # otherwise replica install will complain because # hostname does not match update_etc_hosts(replica, replica.ip, replica.hostname, r_new_hostname) try: # install client with a hostname in the forward zone tasks.install_client(self.master, replica, extra_args=['--hostname', r_new_hostname]) # Configure firewall first Firewall(replica).enable_services(["freeipa-ldap", "freeipa-ldaps"]) replica.run_command(['ipa-replica-install', '--principal', replica.config.admin_name, '--admin-password', replica.config.admin_password, '--setup-dns', '--forwarder', master.config.dns_forwarder, '-U']) finally: # Restore /etc/hosts on master and replica restore_etc_hosts(master) restore_etc_hosts(replica)
def test_wrong_client_domain(self): client = self.replicas[0] client.run_command(['ipa-client-install', '-U', '--domain', self.domain_name, '--realm', self.master.domain.realm, '-p', 'admin', '-w', self.master.config.admin_password, '--server', self.master.hostname, '--force-join']) # Configure firewall first Firewall(client).enable_services(["freeipa-ldap", "freeipa-ldaps"]) result = client.run_command(['ipa-replica-install', '-U', '-w', self.master.config.dirman_password], raiseonerr=False) assert_error(result, "Cannot promote this client to a replica. Local domain " "'%s' does not match IPA domain " "'%s'" % (self.domain_name, self.master.domain.name))
def test_migrate_dnssec_master(self): """Both master and replica have DNS installed""" backup_filename = "/var/lib/ipa/ipa-kasp.db.backup" replica_backup_filename = "/tmp/ipa-kasp.db.backup" # add test zone dnszone_add_dnssec(self.master, example_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, timeout=100), "Zone %s is not signed (master)" % example_test_zone # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example_test_zone, timeout=200), "Zone %s is not signed (replica)" % example_test_zone dnskey_old = resolve_with_dnssec(self.master.ip, example_test_zone, rtype="DNSKEY").rrset # migrate dnssec master to replica args = [ "ipa-dns-install", "--disable-dnssec-master", "--forwarder", self.master.config.dns_forwarder, "--force", "-U", ] self.master.run_command(args) # move content of "ipa-kasp.db.backup" to replica kasp_db_backup = self.master.get_file_contents(backup_filename) self.replicas[0].put_file_contents(replica_backup_filename, kasp_db_backup) args = [ "ipa-dns-install", "--dnssec-master", "--kasp-db", replica_backup_filename, "--forwarder", self.master.config.dns_forwarder, "-U", ] self.replicas[0].run_command(args) # Enable the dns service in the firewall on the replica Firewall(self.replicas[0]).enable_services(["dns"]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, timeout=100 ), "Zone %s is not signed after migration (master)" % example_test_zone # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example_test_zone, timeout=200 ), "Zone %s is not signed after migration (replica)" % example_test_zone # test if dnskey are the same dnskey_new = resolve_with_dnssec(self.master.ip, example_test_zone, rtype="DNSKEY").rrset assert dnskey_old == dnskey_new, "DNSKEY should be the same" # add test zone dnszone_add_dnssec(self.replicas[0], example2_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example2_test_zone, timeout=100 ), ("Zone %s is not signed after migration (replica - dnssec master)" % example2_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example2_test_zone, timeout=200), ("Zone %s is not signed after migration (master)" % example2_test_zone) # add new replica tasks.install_replica(self.master, self.replicas[1], setup_dns=True) # test if originial zones are signed on new replica # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example_test_zone, timeout=200), ("Zone %s is not signed (new replica)" % example_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example2_test_zone, timeout=200), ("Zone %s is not signed (new replica)" % example2_test_zone) # add new zone to new replica dnszone_add_dnssec(self.replicas[0], example3_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example3_test_zone, timeout=200), ("Zone %s is not signed (new replica)" % example3_test_zone) assert wait_until_record_is_signed( self.replicas[0].ip, example3_test_zone, timeout=200), ("Zone %s is not signed (replica)" % example3_test_zone) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example3_test_zone, timeout=200), ("Zone %s is not signed (master)" % example3_test_zone)
def uninstall(cls, mh): super(TestHttpKdcProxy, cls).uninstall(mh) Firewall(cls.clients[0]).remove_passthrough_rules(cls.fw_rules)