def install(cls, mh): # External DNS is only available before install so cache a copy # of the *ipa-epn-client package so we can experimentally remove # it later. # # Notes: # - A package can't be downloaded that is already installed so we # have to remove it first. # - dnf cleans up previously downloaded locations so make a copy it # doesn't know about. # - Adds a class variable, pkg, containing the package name of # the downloaded *ipa-client-epn rpm. tasks.uninstall_packages(cls.clients[0], EPN_PKG) pkgdir = tasks.download_packages(cls.clients[0], EPN_PKG) pkg = cls.clients[0].run_command(r'ls -1 {}'.format(pkgdir)) cls.pkg = pkg.stdout_text.strip() cls.clients[0].run_command( ['cp', os.path.join(pkgdir, cls.pkg), '/tmp']) cls.clients[0].run_command(r'rm -rf {}'.format(pkgdir)) tasks.install_packages(cls.master, EPN_PKG) tasks.install_packages(cls.master, ["postfix"]) tasks.install_packages(cls.clients[0], EPN_PKG) tasks.install_packages(cls.clients[0], ["postfix"]) for host in (cls.master, cls.clients[0]): try: tasks.install_packages(host, ["cyrus-sasl"]) except Exception: # the package is likely already installed pass tasks.install_master(cls.master, setup_dns=True) tasks.install_client(cls.master, cls.clients[0]) configure_postfix(cls.master, cls.master.domain.realm) configure_postfix(cls.clients[0], cls.master.domain.realm)
def test_ipa_adtrust_install_with_locale_issue8066(self): """ This test checks that ipa-adtrust-install command runs successfully on a system with locale en_IN.UTF-8 without displaying error below 'IndexError: list index out of range' This is a testcase for Pagure issue https://pagure.io/freeipa/issue/8066 """ # Set locale to en_IN.UTF-8 in .bashrc file to avoid reboot tasks.kinit_admin(self.master) BASHRC_CFG = "/root/.bashrc" bashrc_backup = tasks.FileBackup(self.master, BASHRC_CFG) exp_msg = "en_IN.UTF-8" try: self.master.run_command( 'echo "export LC_TIME=en_IN.UTF-8" >> ' + BASHRC_CFG ) result = self.master.run_command('echo "$LC_TIME"') assert result.stdout_text.rstrip() == exp_msg # Install ipa-server-adtrust and check status msg1 = ( "Unexpected error - see /var/log/ipaserver-install.log" "for details" ) msg2 = "IndexError: list index out of range" tasks.install_packages(self.master, ["*ipa-server-trust-ad"]) result = self.master.run_command( ["ipa-adtrust-install", "-U"], raiseonerr=False ) assert msg1 not in result.stderr_text assert msg2 not in result.stderr_text finally: bashrc_backup.restore()
def test_ipa_certs_check_ipacertnsstrust(self): """ Test checks the output for IPACertNSSTrust when kra is installed on the IPA system using ipa-kra-install """ cmd = tasks.install_kra(self.master) assert cmd.returncode == 0 tasks.install_packages(self.master, HEALTHCHECK_PKG) self.master.run_command( [ "ipa-healthcheck", "--source", "ipahealthcheck.ipa.certs", "--check", "IPACertNSSTrust", "--output-file", HEALTHCHECK_OUTPUT_FILE, ], raiseonerr=False, ) contents = self.master.get_file_contents(HEALTHCHECK_OUTPUT_FILE, encoding="utf-8") data = json.loads(contents) for check in data: assert check["result"] == "SUCCESS" assert (check["kw"]["key"] in DEFAULT_PKI_CA_CERTS or check["kw"]["key"] in DEFAULT_PKI_KRA_CERTS) tasks.uninstall_master(self.master)
def test_ipa_dns_systemrecords_check(self): """ Test checks the result of IPADNSSystemRecordsCheck when ipa-server is configured without DNS. """ msg1 = "Expected SRV record missing" msg2 = "Got {count} ipa-ca A records, expected {expected}" tasks.install_packages(self.master, HEALTHCHECK_PKG) self.master.run_command( [ "ipa-healthcheck", "--source", "ipahealthcheck.ipa.idns", "--check", "IPADNSSystemRecordsCheck", "--output-file", HEALTHCHECK_OUTPUT_FILE, ], raiseonerr=False, ) contents = self.master.get_file_contents(HEALTHCHECK_OUTPUT_FILE, encoding="utf-8") data = json.loads(contents) for check in data: assert check["result"] == "WARNING" assert check["kw"]["msg"] == msg1 or check["kw"]["msg"] == msg2
def test_restore_trust_pkg_before_restore(self): """Test restore with adtrust when trust-ad pkg is missing. Test for bug https://pagure.io/freeipa/issue/7630. """ tasks.install_packages(self.master, ['*ipa-server-trust-ad']) self.master.run_command(['ipa-adtrust-install', '-U', '--enable-compat', '--netbios-name', 'IPA', '-a', self.master.config.admin_password, '--add-sids']) with restore_checker(self.master): backup_path = tasks.get_backup_dir(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) tasks.uninstall_packages(self.master, ['*ipa-server-trust-ad']) dirman_password = self.master.config.dirman_password result = self.master.run_command( ['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes', raiseonerr=False) assert 'Please install the package' in result.stderr_text tasks.install_packages(self.master, ['*ipa-server-trust-ad']) self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes')
def prepare_acme_client(cls): # cache the acme service uri acme_host = f'{IPA_CA_RECORD}.{cls.master.domain.name}' cls.acme_server = f'https://{acme_host}/acme/directory' # install acme client packages if not skip_certbot_tests: tasks.install_packages(cls.clients[0], ['certbot']) if not skip_mod_md_tests: tasks.install_packages(cls.clients[0], ['mod_md'])
def install(cls, mh): tasks.install_packages(cls.master, EPN_PKG) tasks.install_packages(cls.master, ["postfix"]) tasks.install_packages(cls.clients[0], EPN_PKG) tasks.install_packages(cls.clients[0], ["postfix"]) for host in (cls.master, cls.clients[0]): try: tasks.install_packages(host, ["cyrus-sasl"]) except Exception: # the package is likely already installed pass tasks.install_master(cls.master, setup_dns=True) tasks.install_client(cls.master, cls.clients[0]) configure_postfix(cls.master, cls.master.domain.realm) configure_postfix(cls.clients[0], cls.master.domain.realm)
def _full_backup_restore_with_DNS_zone(self, reinstall=False): """backup, uninstall, restore. Test for bug https://pagure.io/freeipa/issue/7630. """ with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, ]) tasks.resolve_record(self.master.ip, self.example_test_zone) backup_path = tasks.get_backup_dir(self.master) self.master.run_command( ['ipa-server-install', '--uninstall', '-U']) tasks.uninstall_packages(self.master, ['*ipa-server-dns']) dirman_password = self.master.config.dirman_password result = self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes', raiseonerr=False) assert 'Please install the package' in result.stderr_text tasks.install_packages(self.master, ['*ipa-server-dns']) if reinstall: tasks.install_master(self.master, setup_dns=True) self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') if reinstall: # If the server was reinstalled, reinstall may have changed # the uid and restore reverts to the original value. # clear the cache to make sure we get up-to-date values tasks.clear_sssd_cache(self.master) tasks.resolve_record(self.master.ip, self.example_test_zone) tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, ]) tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_ipa_healthcheck_dna_plugin_returns_warning_pagure_issue_60(self): """ This testcase checks that the status for IPADNARangeCheck on replica changes from WARNING to SUCCESS when user is added on the replica as the DNA range is set. Issue: freeipa/freeipa-healthcheck#60 """ returncode, data = run_healthcheck( self.master, "ipahealthcheck.ipa.dna", "IPADNARangeCheck", ) assert returncode == 0 for check in data: assert check["result"] == "SUCCESS" # Install ipa-healthcheck rpm on replica tasks.install_packages(self.replicas[0], HEALTHCHECK_PKG) returncode, data = run_healthcheck( self.replicas[0], "ipahealthcheck.ipa.dna", "IPADNARangeCheck", ) assert returncode == 1 for check in data: assert check["result"] == "WARNING" assert ( check["kw"]["msg"] == "No DNA range defined. If no masters " "define a range then users and groups cannot be created.") # Now kinit as admin and add a user on replica which will create a # DNA configuration. tasks.kinit_admin(self.replicas[0]) tasks.user_add( self.replicas[0], 'ipauser1', first='Test', last='User', ) # Now run the ipa-healthcheck command again returncode, data = run_healthcheck( self.replicas[0], "ipahealthcheck.ipa.dna", "IPADNARangeCheck", ) assert returncode == 0 for check in data: assert check["result"] == "SUCCESS"
def test_ipa_dns_systemrecords_check(self): """ Test checks the result of IPADNSSystemRecordsCheck when ipa-server is configured without DNS. """ msg1 = "Expected SRV record missing" msg2 = "Got {count} ipa-ca A records, expected {expected}" tasks.install_packages(self.master, HEALTHCHECK_PKG) returncode, data = run_healthcheck( self.master, "ipahealthcheck.ipa.idns", "IPADNSSystemRecordsCheck", ) assert returncode == 1 for check in data: assert check["result"] == "WARNING" assert check["kw"]["msg"] == msg1 or check["kw"]["msg"] == msg2
def test_ipa_certs_check_ipacertnsstrust(self): """ Test checks the output for IPACertNSSTrust when kra is installed on the IPA system using ipa-kra-install """ cmd = tasks.install_kra(self.master) assert cmd.returncode == 0 tasks.install_packages(self.master, HEALTHCHECK_PKG) returncode, data = run_healthcheck( self.master, "ipahealthcheck.ipa.certs", "IPACertNSSTrust", ) assert returncode == 0 for check in data: assert check["result"] == "SUCCESS" assert (check["kw"]["key"] in DEFAULT_PKI_CA_CERTS or check["kw"]["key"] in DEFAULT_PKI_KRA_CERTS) tasks.uninstall_master(self.master)
def install(cls, mh): for srv in (cls.master, cls.replicas[0]): tasks.install_packages(srv, HEALTHCHECK_PKG) # master with DNSSEC master tasks.install_master(cls.master, setup_dns=True, setup_kra=True) cls.master.run_command([ "ipa-dns-install", "--dnssec-master", "--forwarder", cls.master.config.dns_forwarder, "-U", ]) # hidden replica with CA and DNS tasks.install_replica( cls.master, cls.replicas[0], setup_dns=True, setup_kra=False, extra_args=('--hidden-replica',) ) # manually install KRA to verify that hidden state is synced tasks.install_kra(cls.replicas[0])
def _full_backup_restore_with_DNS_zone(self, reinstall=False): """backup, uninstall, restore. Test for bug https://pagure.io/freeipa/issue/7630. """ with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, ]) tasks.resolve_record(self.master.ip, self.example_test_zone) backup_path = backup(self.master) self.master.run_command( ['ipa-server-install', '--uninstall', '-U']) tasks.uninstall_packages(self.master, ['*ipa-server-dns']) dirman_password = self.master.config.dirman_password result = self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes', raiseonerr=False) assert 'Please install the package' in result.stderr_text tasks.install_packages(self.master, ['*ipa-server-dns']) if reinstall: tasks.install_master(self.master, setup_dns=True) self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.resolve_record(self.master.ip, self.example_test_zone) tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, ]) tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_ipa_healthcheck_log_rotate_file_exist_issue35(self): """ This test checks if log rotation has been added for ipa-healthcheck tool so that logs are rotated in /var/log/ipa/healthcheck folder. The test also checks that the logrotate configuration file is syntactically correct by calling logrotate --debug This is a testcase for below pagure issue https://github.com/freeipa/freeipa-healthcheck/issues/35 """ msg = "error: {}:".format(HEALTHCHECK_LOG_ROTATE_CONF) tasks.uninstall_packages(self.master, HEALTHCHECK_PKG) assert not self.master.transport.file_exists( HEALTHCHECK_LOG_ROTATE_CONF) tasks.install_packages(self.master, HEALTHCHECK_PKG) assert self.master.transport.file_exists(HEALTHCHECK_LOG_ROTATE_CONF) cmd = self.master.run_command( ['logrotate', '--debug', HEALTHCHECK_LOG_ROTATE_CONF]) assert msg not in cmd.stdout_text
def test_EPN_reinstall(self): """Test that EPN can be installed, uninstalled and reinstalled. Since post-install we no longer have access to the repos the package is downloaded and stored prior to server installation. """ tasks.uninstall_packages(self.clients[0], EPN_PKG) tasks.install_packages(self.clients[0], [os.path.join('/tmp', self.pkg)]) self.clients[0].run_command(r'rm -f /tmp/{}'.format(self.pkg)) # re-installing will create a new epn.conf so any execution # of ipa-epn will verify the reinstall was ok. Since the previous # test would have failed this one should be ok with new config. # Re-run the admin user expected failure (unused, stderr_text, _unused) = self._check_epn_output(self.master, dry_run=True) assert "uid=admin" in stderr_text
def setup_keycloakserver(host, version='17.0.0'): dir = "/opt/keycloak" password = host.config.admin_password tasks.install_packages(host, [ "unzip", "java-11-openjdk-headless", "openssl", "maven", "wget", "firefox", "xorg-x11-server-Xvfb" ]) # add keycloak system user/group and folder url = "https://github.com/keycloak/keycloak/releases/download/{0}/keycloak-{0}.zip".format( version) # noqa: E501 host.run_command(["wget", url, "-O", "{0}-{1}.zip".format(dir, version)]) host.run_command( ["unzip", "{0}-{1}.zip".format(dir, version), "-d", "/opt/"]) host.run_command(["mv", "{0}-{1}".format(dir, version), dir]) host.run_command(["groupadd", "keycloak"]) host.run_command( ["useradd", "-r", "-g", "keycloak", "-d", dir, "keycloak"]) host.run_command(["chown", "-R", "keycloak:", dir]) host.run_command(["chmod", "o+x", "{0}/bin/".format(dir)]) host.run_command(["restorecon", "-R", dir]) # setup TLS certificate using IPA CA host.run_command(["kinit", "-k"]) host.run_command(["ipa", "service-add", "HTTP/{0}".format(host.hostname)]) key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key") crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt") keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store") host.run_command([ "ipa-getcert", "request", "-K", "HTTP/{0}".format(host.hostname), "-D", host.hostname, "-o", "keycloak", "-O", "keycloak", "-m", "0600", "-M", "0644", "-k", key, "-f", crt, "-w" ]) host.run_command([ "keytool", "-import", "-keystore", keystore, "-file", "/etc/ipa/ca.crt", "-alias", "ipa_ca", "-trustcacerts", "-storepass", password, "-noprompt" ]) host.run_command(["chown", "keycloak:keycloak", keystore]) # Setup keycloak service and config files contents = textwrap.dedent(""" KEYCLOAK_ADMIN=admin KEYCLOAK_ADMIN_PASSWORD={admin_pswd} KC_HOSTNAME={host}:8443 KC_HTTPS_CERTIFICATE_FILE={crt} KC_HTTPS_CERTIFICATE_KEY_FILE={key} KC_HTTPS_TRUST_STORE_FILE={store} KC_HTTPS_TRUST_STORE_PASSWORD={store_pswd} KC_HTTP_RELATIVE_PATH=/auth """).format(admin_pswd=password, host=host.hostname, crt=crt, key=key, store=keystore, store_pswd=password) host.put_file_contents("/etc/sysconfig/keycloak", contents) contents = textwrap.dedent(""" [Unit] Description=Keycloak Server After=network.target [Service] Type=idle EnvironmentFile=/etc/sysconfig/keycloak User=keycloak Group=keycloak ExecStart=/opt/keycloak/bin/kc.sh start TimeoutStartSec=600 TimeoutStopSec=600 [Install] WantedBy=multi-user.target """) host.put_file_contents("/etc/systemd/system/keycloak.service", contents) host.run_command(["systemctl", "daemon-reload"]) # Run build stage first env_vars = textwrap.dedent(""" export KEYCLOAK_ADMIN=admin export KC_HOSTNAME={hostname}:8443 export KC_HTTPS_CERTIFICATE_FILE=/etc/pki/tls/certs/keycloak.crt export KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/pki/tls/private/keycloak.key export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.store export KC_HTTPS_TRUST_STORE_PASSWORD={STORE_PASS} export KEYCLOAK_ADMIN_PASSWORD={ADMIN_PASS} export KC_HTTP_RELATIVE_PATH=/auth """).format(hostname=host.hostname, STORE_PASS=password, ADMIN_PASS=password) content = host.get_file_contents('/etc/bashrc', encoding='utf-8') new_content = content + "\n{}".format(env_vars) host.put_file_contents('/etc/bashrc', new_content) host.run_command(['bash']) host.run_command( ['su', '-', 'keycloak', '-c', '/opt/keycloak/bin/kc.sh build']) host.run_command(["systemctl", "start", "keycloak"]) host.run_command(["/opt/keycloak/bin/kc.sh", "show-config"]) # Setup keycloak for use: kcadmin_sh = "/opt/keycloak/bin/kcadm.sh" host.run_command([ kcadmin_sh, "config", "truststore", "--trustpass", password, keystore ]) kcadmin = [ kcadmin_sh, "config", "credentials", "--server", "https://{0}:8443/auth/".format(host.hostname), "--realm", "master", "--user", "admin", "--password", password ] tasks.run_repeatedly(host, kcadmin, timeout=60) host.run_command([ kcadmin_sh, "create", "users", "-r", "master", "-s", "username=testuser1", "-s", "enabled=true", "-s", "[email protected]" ]) host.run_command([ kcadmin_sh, "set-password", "-r", "master", "--username", "testuser1", "--new-password", password ])
def test_rolecheck_Trust(self): """ipa-backup rolecheck: add Trust controllers/agents. """ # install AD Trust packages on replica first tasks.install_packages(self.replicas[0], ['*ipa-server-trust-ad']) self._check_rolecheck_backup_success(self.replicas[0]) self._check_rolecheck_backup_success(self.master) tasks.install_packages(self.master, ['*ipa-server-trust-ad']) # make replicas[0] become Trust Controller self.replicas[0].run_command([ 'ipa-adtrust-install', '-U', '--netbios-name', 'IPA', '-a', self.master.config.admin_password, '--add-sids' ]) # wait for replication to propagate the change on # cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test # as the ipa server-role-find call is using this entry to # build its output tasks.wait_for_replication(self.replicas[0].ldap_connect()) # double-check assert self._ipa_replica_role_check( self.replicas[0].hostname, self.serverroles['ADTC'] ) # check that master has no AD Trust-related role assert not self._ipa_replica_role_check( self.master.hostname, self.serverroles['ADTA'] ) self._check_rolecheck_backup_success(self.replicas[0]) self._check_rolecheck_backup_failure(self.master) # make master become Trust Agent cmd_input = ( # admin password: self.master.config.admin_password + '\n' + # WARNING: The smb.conf already exists. Running ipa-adtrust-install # will break your existing samba configuration. # Do you wish to continue? [no]: 'yes\n' # Enable trusted domains support in slapi-nis? [no]: '\n' + # WARNING: 1 IPA masters are not yet able to serve information # about users from trusted forests. # Installer can add them to the list of IPA masters allowed to # access information about trusts. # If you choose to do so, you also need to restart LDAP service on # those masters. # Refer to ipa-adtrust-install(1) man page for details. # IPA master[replica1.testrelm.test]?[no]: 'yes\n' ) self.replicas[0].run_command([ 'ipa-adtrust-install', '--add-agents'], stdin_text=cmd_input ) # wait for replication to propagate the change on # cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test # as the ipa server-role-find call is using this entry to # build its output tasks.wait_for_replication(self.replicas[0].ldap_connect()) # check that master is now an AD Trust agent assert self._ipa_replica_role_check( self.master.hostname, self.serverroles['ADTA'] ) # but not an AD Trust controller assert not self._ipa_replica_role_check( self.master.hostname, self.serverroles['ADTC'] ) self._check_rolecheck_backup_success(self.replicas[0]) self._check_rolecheck_backup_failure(self.master) # make master become Trust Controller self.master.run_command([ 'ipa-adtrust-install', '-U', '--netbios-name', 'IPA', '-a', self.master.config.admin_password, '--add-sids' ]) # wait for replication to propagate the change on # cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test # as the ipa server-role-find call is using this entry to # build its output tasks.wait_for_replication(self.master.ldap_connect()) # master and replicas[0] are both AD Trust Controllers now. for hostname in [self.master.hostname, self.replicas[0].hostname]: assert self._ipa_replica_role_check( hostname, self.serverroles['ADTC'] ) self._check_rolecheck_backup_success(self.master) self._check_rolecheck_backup_success(self.replicas[0]) # switch replicas[0] to hidden self.replicas[0].run_command([ 'ipa', 'server-state', self.replicas[0].hostname, '--state=hidden' ]) self._check_rolecheck_backup_success(self.master) self._check_rolecheck_backup_success(self.replicas[0])
def test_ipa_healthcheck_install_on_master(self): """ Testcase to check healthcheck package is installed succesfully on IPA master. """ tasks.install_packages(self.master, HEALTHCHECK_PKG)
def install(cls, mh): tasks.install_master(cls.master, setup_dns=True) tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True) tasks.install_packages(cls.master, HEALTHCHECK_PKG)
def test_ipa_healthcheck_install_on_replica(self): """ Testcase to check healthcheck package is installed succesfully on IPA replica. """ tasks.install_packages(self.replicas[0], HEALTHCHECK_PKG)