def test_ipahealthcheck_hidden_replica(self):
"""Ensure that ipa-healthcheck runs successfully on all members
of an IPA cluster that includes a hidden replica.
"""
os_version = (tasks.get_platform(self.master),
tasks.get_platform_version(self.master))
pki_version = tasks.get_pki_version(self.master)
# verify state
self._check_config([self.master], [self.replicas[0]])
# A DNA range is needed on the replica for ipa-healthcheck to work.
# Create a user so that the replica gets a range.
tasks.user_add(self.replicas[0], 'testuser')
tasks.user_del(self.replicas[0], 'testuser')
for srv in (self.master, self.replicas[0]):
returncode, _unused = run_healthcheck(srv, failures_only=True)
pki_too_old = \
(os_version[0] == 'fedora'
and pki_version < tasks.parse_version('11.1.0'))\
or (os_version[0] == 'rhel'
and os_version[1][0] == 8
and pki_version < tasks.parse_version('10.12.0'))\
or (os_version[0] == 'rhel'
and os_version[1][0] == 9
and pki_version < tasks.parse_version('11.0.4'))
with xfail_context(pki_too_old,
'https://pagure.io/freeipa/issue/8582'):
assert returncode == 0
def test_login_wrong_password(self, user_creation_deletion):
"""Test ipa user login with wrong password
When ipa user login to machine using wrong password, it
should log proper message
related: https://github.com/SSSD/sssd/issues/5139
"""
# try to login with wrong password
sssd_version = tasks.get_sssd_version(self.master)
if (sssd_version < tasks.parse_version('2.3.0')):
pytest.xfail('Fix is part of sssd 2.3.0 and is'
' available from fedora32 onwards')
sshconn = paramiko.SSHClient()
sshconn.set_missing_host_key_policy(paramiko.AutoAddPolicy())
since = time.strftime('%H:%M:%S')
try:
sshconn.connect(self.master.hostname,
username=self.testuser,
password='******')
except paramiko.AuthenticationException:
pass
sshconn.close()
# check if proper message logged
exp_msg = ("pam_sss(sshd:auth): received for user {}: 7"
" (Authentication failure)".format(self.testuser))
result = self.master.run_command(['journalctl',
'-u', 'sshd',
'--since={}'.format(since)])
assert exp_msg in result.stdout_text
def test_kra_detection(self):
"""Test that ipa-server-upgrade correctly detects KRA presence
Test for https://pagure.io/freeipa/issue/8596
When the directory /var/lib/pki/pki-tomcat/kra/ exists, the upgrade
wrongly assumes that KRA component is installed and crashes.
The test creates an empty dir and calls ipa-server-upgrade
to make sure that KRA detection is not based on the directory
presence.
"""
# Skip test if pki 10.10.0 is installed
# because of https://github.com/dogtagpki/pki/issues/3397
# pki fails to start if empty dir /var/lib/pki/pki-tomcat/kra exists
if tasks.get_pki_version(
self.master) == tasks.parse_version('10.10.0'):
pytest.skip("Skip test with pki 10.10.0")
kra_path = os.path.join(paths.VAR_LIB_PKI_TOMCAT_DIR, "kra")
try:
self.master.run_command(["mkdir", "-p", kra_path])
result = self.master.run_command(['ipa-server-upgrade'])
err_msg = 'Upgrade failed with no such entry'
assert err_msg not in result.stderr_text
finally:
self.master.run_command(["rmdir", kra_path])
def test_missing_csr(self, expire_cert_critical):
"""
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
Test case for https://pagure.io/freeipa/issue/8618
Scenario:
- move the date so that ServerCert cert-pki-ca is expired
- remove the ca.sslserver.certreq directive from CS.cfg
- call getcert resubmit in order to create the CSR in certmonger file
- use ipa-cert-fix, no issue should be seen
"""
expire_cert_critical(self.master)
# pki must be stopped in order to edit CS.cfg
self.master.run_command(['ipactl', 'stop'])
self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',
paths.CA_CS_CFG_PATH])
# dirsrv needs to be up in order to run ipa-cert-fix
self.master.run_command(['ipactl', 'start',
'--ignore-service-failures'])
# It's the call to getcert resubmit that creates the CSR in certmonger.
# In normal operations it would be launched automatically when the
# expiration date is near but in the test we force the CSR creation.
self.master.run_command(['getcert', 'resubmit',
'-n', 'Server-Cert cert-pki-ca',
'-d', paths.PKI_TOMCAT_ALIAS_DIR])
# Wait a few secs
time.sleep(3)
# Now the real test, call ipa-cert-fix and ensure it doesn't
# complain about missing sslserver.crt
result = self.master.run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n',
raiseonerr=False)
msg = ("No such file or directory: "
"'/etc/pki/pki-tomcat/certs/sslserver.crt'")
assert msg not in result.stderr_text
# Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0
# https://bugzilla.redhat.com/show_bug.cgi?id=1897120
if (tasks.get_pki_version(self.master)
!= tasks.parse_version('10.10.0')):
assert result.returncode == 0
# get the number of certs track by certmonger
cmd = self.master.run_command(['getcert', 'list'])
certs = cmd.stdout_text.count('Request ID')
timeout = 600
renewed = 0
start = time.time()
# wait up to 10 min for all certs to renew
while time.time() - start < timeout:
cmd = self.master.run_command(['getcert', 'list'])
renewed = cmd.stdout_text.count('status: MONITORING')
if renewed == certs:
break
time.sleep(100)
else:
# timeout
raise AssertionError('Timeout: Failed to renew all the certs')
def test_missing_startup(self, expire_cert_critical):
"""
Test ipa-cert-fix fails/warns when startup directive is missing
This test checks that if 'selftests.container.order.startup' directive
is missing from CS.cfg, ipa-cert-fix fails and throw proper error
message. It also checks that underlying command 'pki-server cert-fix'
should fail to renew the cert.
related: https://pagure.io/freeipa/issue/8721
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.
This test also checks that if 'selftests.container.order.startup'
directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning
(depending on pki version)
related: https://pagure.io/freeipa/issue/8890
"""
expire_cert_critical(self.master)
# pki must be stopped in order to edit CS.cfg
self.master.run_command(['ipactl', 'stop'])
self.master.run_command([
'sed', '-i', r'/selftests\.container\.order\.startup/d',
paths.CA_CS_CFG_PATH
])
# dirsrv needs to be up in order to run ipa-cert-fix
self.master.run_command(
['ipactl', 'start', '--ignore-service-failures'])
result = self.master.run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n',
raiseonerr=False)
err_msg1 = "ERROR: 'selftests.container.order.startup'"
# check that pki-server cert-fix command fails
err_msg2 = ("ERROR: CalledProcessError(Command "
"['pki-server', 'cert-fix'")
warn_msg = ("WARNING: No selftests configured in "
f"{paths.CA_CS_CFG_PATH} "
"(selftests.container.order.startup)")
if (tasks.get_pki_version(self.master) <
tasks.parse_version('10.11.0')):
assert (err_msg1 in result.stderr_text
and err_msg2 in result.stderr_text)
else:
assert warn_msg in result.stdout_text
def test_override_gid_subdomain(self):
"""Test that override_gid is working for subdomain
This is a regression test for sssd bug:
https://pagure.io/SSSD/sssd/issue/4061
"""
tasks.clear_sssd_cache(self.master)
user = self.users['child_ad']['name']
gid = 10264
# verify the user can be retrieved initially
self.master.run_command(['id', user])
with self.override_gid_setup(gid):
test_gid = self.master.run_command(['id', user])
sssd_version = tasks.get_sssd_version(self.master)
with xfail_context(sssd_version < tasks.parse_version('2.3.0'),
'https://pagure.io/SSSD/sssd/issue/4061'):
assert 'gid={id}'.format(id=gid) in test_gid.stdout_text
def test_trustdomain_disable_disables_subdomain(self):
"""Test that users from disabled trustdomains can not use ipa resources
This is a regression test for sssd bug:
https://pagure.io/SSSD/sssd/issue/4078
"""
user = self.users['child_ad']['name']
# verify the user can be retrieved initially
self.master.run_command(['id', user])
with self.disabled_trustdomain():
res = self.master.run_command(['id', user], raiseonerr=False)
sssd_version = tasks.get_sssd_version(self.master)
with xfail_context(sssd_version < tasks.parse_version('2.2.3'),
'https://pagure.io/SSSD/sssd/issue/4078'):
assert res.returncode == 1
assert 'no such user' in res.stderr_text
# verify the user can be retrieved after re-enabling trustdomain
self.master.run_command(['id', user])
def test_aduser_with_idview(self):
"""Test that trusted AD users should not lose their AD domains.
This is a regression test for sssd bug:
https://pagure.io/SSSD/sssd/issue/4173
1. Override AD user's UID, GID by adding it in ID view on IPA server.
2. Stop the SSSD, and clear SSSD cache and restart SSSD on a IPA client
3. getent with UID from ID view should return AD domain
after default memcache_timeout.
"""
client = self.clients[0]
user = self.users['ad']['name']
idview = 'testview'
def verify_retrieved_users_domain():
# Wait for the record to expire in SSSD's cache
# (memcache_timeout default value is 300s).
test_user = ['su', user, '-c', 'sleep 360; getent passwd 10001']
result = client.run_command(test_user)
assert user in result.stdout_text
# verify the user can be retrieved initially
tasks.clear_sssd_cache(self.master)
self.master.run_command(['id', user])
self.master.run_command(['ipa', 'idview-add', idview])
self.master.run_command(['ipa', 'idoverrideuser-add', idview, user])
self.master.run_command([
'ipa', 'idview-apply', idview,
'--hosts={0}'.format(client.hostname)
])
self.master.run_command([
'ipa', 'idoverrideuser-mod', idview, user, '--uid=10001',
'--gid=10000'
])
try:
clear_sssd_cache(client)
sssd_version = tasks.get_sssd_version(client)
with xfail_context(sssd_version < tasks.parse_version('2.3.0'),
'https://pagure.io/SSSD/sssd/issue/4173'):
verify_retrieved_users_domain()
finally:
self.master.run_command(['ipa', 'idview-del', idview])
