def test_ipahealthcheck_hidden_replica(self):
"""Ensure that ipa-healthcheck runs successfully on all members
of an IPA cluster that includes a hidden replica.
"""
os_version = (tasks.get_platform(self.master),
tasks.get_platform_version(self.master))
pki_version = tasks.get_pki_version(self.master)
# verify state
self._check_config([self.master], [self.replicas[0]])
# A DNA range is needed on the replica for ipa-healthcheck to work.
# Create a user so that the replica gets a range.
tasks.user_add(self.replicas[0], 'testuser')
tasks.user_del(self.replicas[0], 'testuser')
for srv in (self.master, self.replicas[0]):
returncode, _unused = run_healthcheck(srv, failures_only=True)
pki_too_old = \
(os_version[0] == 'fedora'
and pki_version < tasks.parse_version('11.1.0'))\
or (os_version[0] == 'rhel'
and os_version[1][0] == 8
and pki_version < tasks.parse_version('10.12.0'))\
or (os_version[0] == 'rhel'
and os_version[1][0] == 9
and pki_version < tasks.parse_version('11.0.4'))
with xfail_context(pki_too_old,
'https://pagure.io/freeipa/issue/8582'):
assert returncode == 0
def test_auth_keycloak_idp(self):
"""
Test case to check that OAuth 2.0 Device
Authorization Grant is working as
expected for user configured with external idp.
"""
create_quarkus.setup_keycloakserver(self.client)
time.sleep(60)
create_quarkus.setup_keycloak_client(self.client)
tasks.kinit_admin(self.master)
cmd = ["ipa", "idp-add", "keycloakidp", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
"--base-url={0}:8443/auth".format(self.client.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
self.client.config.admin_password))
tasks.user_add(self.master, 'keycloakuser',
extra_args=["--user-auth-type=idp",
"[email protected]",
"--idp=keycloakidp"]
)
list_user = self.master.run_command(
["ipa", "user-find", "[email protected]"]
)
assert "keycloakuser" in list_user.stdout_text
list_by_idp = self.master.run_command(["ipa", "user-find",
"--idp=keycloakidp"]
)
assert "keycloakuser" in list_by_idp.stdout_text
list_by_user = self.master.run_command(
["ipa", "user-find", "[email protected]", "--all"]
)
assert "keycloakidp" in list_by_user.stdout_text
tasks.clear_sssd_cache(self.master)
kinit_idp(self.master, 'keycloakuser', keycloak_server=self.client)
def test_EPN_smoketest_2(self, cleanupusers):
"""Add a user without password.
Add a user whose password expires within the default time range.
Check --dry-run output.
"""
tasks.user_add(self.master, "testuser0")
tasks.user_add(
self.master,
"testuser1",
password="******",
extra_args=[
"--password-expiration",
datetime_to_generalized_time(
datetime.datetime.utcnow() + datetime.timedelta(days=7)
),
],
)
(stdout_text_client, unused, _unused) = self._check_epn_output(
self.clients[0], dry_run=True
)
(stdout_text_master, unused, _unused) = self._check_epn_output(
self.master, dry_run=True
)
assert stdout_text_master == stdout_text_client
assert "testuser0" not in stdout_text_client
assert "testuser1" in stdout_text_client
def test_multiple_user_certificates(self):
"""Test that a user may be issued multiple certificates"""
ldap = self.master.ldap_connect()
user = '******'
tasks.kinit_admin(self.master)
tasks.user_add(self.master, user)
for id in (0, 1):
csr_file = f'{id}.csr'
key_file = f'{id}.key'
cert_file = f'{id}.crt'
openssl_cmd = [
'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
'-nodes', '-out', csr_file, '-subj', '/CN=' + user]
self.master.run_command(openssl_cmd)
cmd_args = ['ipa', 'cert-request', '--principal', user,
'--certificate-out', cert_file, csr_file]
self.master.run_command(cmd_args)
# easier to count by pulling the LDAP entry
entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
('cn', 'accounts'), self.master.domain.basedn))
assert len(entry.get('usercertificate')) == 2
def test_subid_useradmin(self):
tasks.kinit_admin(self.master)
uid_useradmin = "testuser_usermgr_mgr1"
role = "User Administrator"
uid = "testuser_usermgr_user1"
password = "******"
# create user administrator
tasks.create_active_user(self.master, uid_useradmin, password=password)
# add user to user admin group
tasks.kinit_admin(self.master)
self.master.run_command(
["ipa", "role-add-member", role, f"--users={uid_useradmin}"], )
# kinit as user admin
tasks.kinit_user(self.master, uid_useradmin, password)
# create new user as user admin
tasks.user_add(self.master, uid)
# assign new subid to user (with useradmin credentials)
self.subid_generate(uid)
# test that user admin can preserve and delete users with subids
self.master.run_command(["ipa", "user-del", "--preserve", uid])
# XXX does not work, see subordinate-ids.md
# subid should still exist
# self.assert_subid(uid, match=True)
# final delete should remove the user and subid
self.master.run_command(["ipa", "user-del", uid])
self.assert_subid(uid, match=False)
def test_ipahealthcheck_hidden_replica(self):
"""Ensure that ipa-healthcheck runs successfully on all members
of an IPA cluster that includes a hidden replica.
"""
# verify state
self._check_config([self.master], [self.replicas[0]])
# A DNA range is needed on the replica for ipa-healthcheck to work.
# Create a user so that the replica gets a range.
tasks.user_add(self.replicas[0], 'testuser')
tasks.user_del(self.replicas[0], 'testuser')
for srv in (self.master, self.replicas[0]):
returncode, _unused = run_healthcheck(srv, failures_only=True)
assert returncode == 0
def tset_subid_auto_assign(self):
tasks.kinit_admin(self.master)
uid = "testuser_autoassign_user1"
self.master.run_command(
["ipa", "config-mod", "--user-default-subid=true"])
try:
tasks.user_add(self.master, uid)
self.assert_subid(uid, match=True)
finally:
self.master.run_command(
["ipa", "config-mod", "--user-default-subid=false"])
def install(cls, mh):
super(TestIDViews, cls).install(mh)
master = cls.master
client = cls.clients[0]
tasks.kinit_admin(master)
tasks.user_add(master,
cls.user1,
first='Test1',
extra_args=[
'--uid',
str(cls.user1_uid),
'--gidnumber',
str(cls.user1_gid),
])
tasks.user_add(master,
cls.user2,
first='Test2',
extra_args=[
'--uid',
str(cls.user2_uid),
'--gidnumber',
str(cls.user2_gid),
])
tasks.group_add(master,
cls.group1,
extra_args=['--gid', str(cls.group1_gid)])
master.run_command(['ipa', 'idview-add', cls.idview])
# add overrides for user1 and its default user group
master.run_command([
'ipa', 'idoverrideuser-add', cls.idview, cls.user1, '--uid',
str(cls.user1_uid_override), '--gid',
str(cls.user1_gid_override), '--homedir',
'/special-home/{}'.format(cls.user1), '--shell', '/bin/special'
])
master.run_command([
'ipa',
'idoverridegroup-add',
cls.idview,
cls.group1,
'--gid',
str(cls.group1_gid_override),
])
# ID view overrides don't work on IPA masters
master.run_command(
['ipa', 'idview-apply', cls.idview, '--hosts', client.hostname])
# finally restart SSSD to materialize idviews
client.run_command(['systemctl', 'restart', 'sssd.service'])
def install(cls, mh):
super(TestSSSDAuthCache, cls).install(mh)
cls.ad = cls.ads[0] # pylint: disable=no-member
tasks.install_adtrust(cls.master)
tasks.configure_dns_for_trust(cls.master, cls.ad)
tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)
cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format(
domain=cls.ad.domain.name)
tasks.user_add(cls.master, cls.intermed_user)
tasks.create_active_user(cls.master, cls.ipa_user,
cls.ipa_user_password)
def test_ipa_subid_script(self):
tasks.kinit_admin(self.master)
tool = os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-subids")
users = []
for i in range(1, 11):
uid = f"testuser_script{i}"
users.append(uid)
tasks.user_add(self.master, uid)
self.assert_subid(uid, match=False)
cmd = [tool, "--verbose", "--group", "ipausers"]
self.master.run_command(cmd)
for uid in users:
self.assert_subid(uid, match=True)
def install(cls, mh):
super(TestSSSDWithAdTrust, cls).install(mh)
cls.ad = cls.ads[0]
tasks.install_adtrust(cls.master)
tasks.configure_dns_for_trust(cls.master, cls.ad)
tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)
cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format(
domain=cls.ad.domain.name)
cls.users['ad']['group'] = cls.users['ad']['group_tmpl'].format(
domain=cls.ad.domain.name)
tasks.user_add(cls.master, cls.intermed_user)
tasks.create_active_user(cls.master, cls.ipa_user,
cls.ipa_user_password)
def test_ipa_healthcheck_dna_plugin_returns_warning_pagure_issue_60(self):
"""
This testcase checks that the status for IPADNARangeCheck on replica
changes from WARNING to SUCCESS when user is added on the replica
as the DNA range is set.
Issue: freeipa/freeipa-healthcheck#60
"""
returncode, data = run_healthcheck(
self.master,
"ipahealthcheck.ipa.dna",
"IPADNARangeCheck",
)
assert returncode == 0
for check in data:
assert check["result"] == "SUCCESS"
# Install ipa-healthcheck rpm on replica
tasks.install_packages(self.replicas[0], HEALTHCHECK_PKG)
returncode, data = run_healthcheck(
self.replicas[0],
"ipahealthcheck.ipa.dna",
"IPADNARangeCheck",
)
assert returncode == 1
for check in data:
assert check["result"] == "WARNING"
assert (
check["kw"]["msg"] == "No DNA range defined. If no masters "
"define a range then users and groups cannot be created.")
# Now kinit as admin and add a user on replica which will create a
# DNA configuration.
tasks.kinit_admin(self.replicas[0])
tasks.user_add(
self.replicas[0],
'ipauser1',
first='Test',
last='User',
)
# Now run the ipa-healthcheck command again
returncode, data = run_healthcheck(
self.replicas[0],
"ipahealthcheck.ipa.dna",
"IPADNARangeCheck",
)
assert returncode == 0
for check in data:
assert check["result"] == "SUCCESS"
def install(cls, mh):
super(TestSSSDWithAdTrust, cls).install(mh)
cls.ad = cls.ads[0]
tasks.install_adtrust(cls.master)
tasks.configure_dns_for_trust(cls.master, cls.ad)
tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)
cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format(
domain=cls.ad.domain.name)
# Regression tests for cached_auth_timeout option
# https://bugzilla.redhat.com/show_bug.cgi?id=1685581
tasks.user_add(cls.master, cls.intermed_user)
tasks.create_active_user(cls.master, cls.ipa_user,
cls.ipa_user_password)
def install(cls, mh):
super(TestIDViews, cls).install(mh)
master = cls.master
client = cls.clients[0]
tasks.kinit_admin(master)
tasks.user_add(
master, cls.user1, first='Test1',
extra_args=[
'--uid', str(cls.user1_uid),
'--gidnumber', str(cls.user1_gid),
]
)
tasks.user_add(
master, cls.user2, first='Test2',
extra_args=[
'--uid', str(cls.user2_uid),
'--gidnumber', str(cls.user2_gid),
]
)
tasks.group_add(
master, cls.group1, extra_args=['--gid', str(cls.group1_gid)]
)
master.run_command(['ipa', 'idview-add', cls.idview])
# add overrides for user1 and its default user group
master.run_command([
'ipa', 'idoverrideuser-add', cls.idview, cls.user1,
'--uid', str(cls.user1_uid_override),
'--gid', str(cls.user1_gid_override),
'--homedir', '/special-home/{}'.format(cls.user1),
'--shell', '/bin/special'
])
master.run_command([
'ipa', 'idoverridegroup-add', cls.idview, cls.group1,
'--gid', str(cls.group1_gid_override),
])
# ID view overrides don't work on IPA masters
master.run_command([
'ipa', 'idview-apply', cls.idview,
'--hosts', client.hostname
])
# finally restart SSSD to materialize idviews
client.run_command(['systemctl', 'restart', 'sssd.service'])
def test_auth_keycloak_idp(self):
keycloak_srv = self.replicas[0]
create_quarkus.setup_keycloakserver(keycloak_srv)
time.sleep(60)
create_quarkus.setup_keycloak_client(keycloak_srv)
tasks.kinit_admin(self.master)
cmd = ["ipa", "idp-add", "keycloak", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
"--base-url={0}:8443/auth".format(keycloak_srv.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
keycloak_srv.config.admin_password))
tasks.user_add(self.master, 'keycloakuser',
extra_args=["--user-auth-type=idp",
"[email protected]",
"--idp=keycloak"]
)
tasks.clear_sssd_cache(self.master)
kinit_idp(self.master, 'keycloakuser', keycloak_srv)
def test_ext_grp_with_ldap(self):
"""User and group with same name should not break reading AD user data.
Regression test for https://pagure.io/SSSD/sssd/issue/4073
When aduser is added in extrnal group and this group is added
in group with same name of nonprivate ipa user and possix id, then
lookup of aduser and group should be successful when cache is empty.
"""
cmd = self.master.run_command(['sssd', '--version'])
sssd_version = platform_tasks.parse_ipa_version(
cmd.stdout_text.strip())
if sssd_version <= platform_tasks.parse_ipa_version('2.2.2'):
pytest.skip("Fix for https://pagure.io/SSSD/sssd/issue/4073 "
"unavailable with sssd-2.2.2")
client = self.clients[0]
user = '******'
userid = '100996'
ext_group = 'ext-ipatest'
tasks.kinit_admin(self.master)
# add user with same uid and gidnumber
tasks.user_add(
self.master,
user,
extra_args=['--noprivate', '--uid', userid, '--gidnumber', userid])
# add group with same as user_name and user_id.
tasks.group_add(self.master, user, extra_args=['--gid', userid])
tasks.group_add(self.master, ext_group, extra_args=['--external'])
self.master.run_command(
['ipa', 'group-add-member', '--group', ext_group, user])
self.master.run_command([
'ipa', '-n', 'group-add-member', '--external',
self.users['ad']['name'], ext_group
])
tasks.clear_sssd_cache(self.master)
tasks.clear_sssd_cache(client)
try:
result = client.run_command(['id', self.users['ad']['name']])
assert '{uid}({name})'.format(uid=userid,
name=user) in result.stdout_text
finally:
self.master.run_command(['ipa', 'user-del', user])
self.master.run_command(['ipa', 'group-del', user, ext_group])
def test_idp_backup_restore(self):
"""
Test case to check that after restore data is retrieved
with related idp configuration.
"""
tasks.kinit_admin(self.master)
user = "******"
cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
"--base-url={0}:8443/auth".format(self.client.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
self.client.config.admin_password))
tasks.user_add(self.master, user,
extra_args=["--user-auth-type=idp",
"[email protected]",
"--idp=testidp"]
)
backup_path = tasks.get_backup_dir(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', user])
self.master.run_command(['ipa', 'idp-del', 'testidp'])
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
try:
list_user = self.master.run_command(
['ipa', 'user-show', 'backupuser', '--all']
).stdout_text
assert "External IdP configuration: testidp" in list_user
assert "User authentication types: idp" in list_user
assert ("External IdP user identifier: "
"*****@*****.**") in list_user
list_idp = self.master.run_command(['ipa', 'idp-find', 'testidp'])
assert "testidp" in list_idp.stdout_text
kinit_idp(self.master, user, self.client)
finally:
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
self.master.run_command(["rm", "-rf", backup_path])
self.master.run_command(["ipa", "idp-del", "testidp"])
def test_EPN_smoketest_3(self):
"""Add a bunch of users with incrementally expiring passwords
(one per day). Check --dry-run output.
"""
users = {}
userbase_str = "user"
for i in range(30):
uid = userbase_str + str(i)
users[i] = dict(
uid=uid,
days=i,
krbpasswordexpiration=datetime_to_generalized_time(
datetime.datetime.utcnow() + datetime.timedelta(days=i)
),
)
for key in users:
tasks.user_add(
self.master,
users[key]["uid"],
extra_args=[
"--password-expiration",
users[key]["krbpasswordexpiration"],
],
password=None,
)
(stdout_text_client, unused, _unused) = self._check_epn_output(
self.clients[0], dry_run=True
)
(stdout_text_master, unused, _unused) = self._check_epn_output(
self.master, dry_run=True
)
assert stdout_text_master == stdout_text_client
user_lst = []
for user in json.loads(stdout_text_master):
user_lst.append(user["uid"])
expected_users = ["user1", "user3", "user7", "user14", "user28"]
assert sorted(user_lst) == sorted(expected_users)
def test_change_user_pwd_history_issue7181(self, pwpolicy_global):
"""
Test that password history for a normal IPA user is honored.
"""
user = '******'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
master = self.master
tasks.user_add(master, user, password=original_passwd)
tasks.ldappasswd_user_change(user, original_passwd, new_passwd, master)
tasks.ldappasswd_user_change(user, new_passwd, original_passwd, master)
try:
tasks.ldappasswd_user_change(user, original_passwd, new_passwd,
master)
except CalledProcessError as e:
if e.returncode != 1:
raise
else:
pytest.fail("Password change violating policy did not fail")
def install(cls, mh):
super(TestMemberManager, cls).install(mh)
master = cls.master
tasks.create_active_user(master, USER_MM, PASSWORD)
tasks.create_active_user(master, USER_INDIRECT, PASSWORD)
tasks.create_active_user(master, USER1, PASSWORD)
tasks.kinit_admin(master)
tasks.group_add(master, GROUP_INDIRECT)
master.run_command([
'ipa', 'group-add-member', GROUP_INDIRECT, '--users', USER_INDIRECT
])
tasks.user_add(master, USER2)
tasks.group_add(master, GROUP1)
tasks.group_add(master, GROUP2)
master.run_command(['ipa', 'hostgroup-add', HOSTGROUP1])
# make mmuser a member manager for group and hostgroup
master.run_command([
'ipa', 'group-add-member-manager', GROUP1,
'--users', USER_MM
])
master.run_command([
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
'--users', USER_MM
])
# make indirect group member manager for group and hostgroup
master.run_command([
'ipa', 'group-add-member-manager', GROUP1,
'--groups', GROUP_INDIRECT
])
master.run_command([
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
'--groups', GROUP_INDIRECT
])
tasks.kdestroy_all(master)
def test_full_backup_and_restore_with_replica(self, cert_sign_request):
# check prerequisites
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
self.master.run_command(
['ipa', 'service-add', 'TEST/' + self.master.hostname])
tasks.user_add(self.master, 'test1_master')
tasks.user_add(self.replica1, 'test1_replica')
with restore_checker(self.master):
backup_path = backup(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', 'test1_master'])
self.replica1.run_command(['ipa', 'user-del', 'test1_replica'])
tasks.user_add(self.master, 'test2_master')
tasks.user_add(self.replica1, 'test2_replica')
# simulate master crash
self.master.run_command(['ipactl', 'stop'])
tasks.uninstall_master(self.master, clean=False)
logger.info("Stopping and disabling oddjobd service")
self.master.run_command([
"systemctl", "stop", "oddjobd"
])
self.master.run_command([
"systemctl", "disable", "oddjobd"
])
self.master.run_command(['ipa-restore', '-U', backup_path])
status = self.master.run_command([
"systemctl", "status", "oddjobd"
])
assert "active (running)" in status.stdout_text
# replication should not work after restoration
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test3_master')
tasks.user_add(self.replica1, 'test3_replica')
self.check_replication_error(self.master)
self.check_replication_error(self.replica1)
assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \
self.get_users(self.master)
assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \
self.get_users(self.replica1)
# reestablish and check replication
self.replica1.run_command(['ipa-replica-manage', 're-initialize',
'--from', self.master.hostname])
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test4_master')
tasks.user_add(self.replica1, 'test4_replica')
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.master)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.replica1)
# CA on master should be accesible from master and replica
self.request_test_service_cert(
self.master, cert_sign_request[self.master.hostname])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
# replica should not be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname],
expect_connection_error=True)
finally:
self.master.run_command(['ipactl', 'start'])
tasks.install_ca(self.replica1)
# now replica should be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
self.master.run_command(['ipactl', 'start'])
# check installation of new replica
tasks.install_replica(self.master, self.replica2, setup_ca=True)
check_replication(self.master, self.replica2, "testuser")
# new replica should be able to sign certificates without CA on master
# and old replica
self.master.run_command(['ipactl', 'stop'])
self.replica1.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica2, cert_sign_request[self.replica2.hostname])
finally:
self.replica1.run_command(['ipactl', 'start'])
self.master.run_command(['ipactl', 'start'])
def test_full_backup_and_restore_with_replica(self, cert_sign_request):
# check prerequisites
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
self.master.run_command(
['ipa', 'service-add', 'TEST/' + self.master.hostname])
tasks.user_add(self.master, 'test1_master')
tasks.user_add(self.replica1, 'test1_replica')
with restore_checker(self.master):
backup_path = tasks.get_backup_dir(self.master)
# change data after backup
self.master.run_command(['ipa', 'user-del', 'test1_master'])
self.replica1.run_command(['ipa', 'user-del', 'test1_replica'])
tasks.user_add(self.master, 'test2_master')
tasks.user_add(self.replica1, 'test2_replica')
# simulate master crash
self.master.run_command(['ipactl', 'stop'])
tasks.uninstall_master(self.master, clean=False)
logger.info("Stopping and disabling oddjobd service")
self.master.run_command([
"systemctl", "stop", "oddjobd"
])
self.master.run_command([
"systemctl", "disable", "oddjobd"
])
self.master.run_command(['ipa-restore', '-U', backup_path])
status = self.master.run_command([
"systemctl", "status", "oddjobd"
])
assert "active (running)" in status.stdout_text
# replication should not work after restoration
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test3_master')
tasks.user_add(self.replica1, 'test3_replica')
self.check_replication_error(self.master)
self.check_replication_error(self.replica1)
assert {'admin', 'test1_master', 'test1_replica', 'test3_master'} == \
self.get_users(self.master)
assert {'admin', 'test2_master', 'test2_replica', 'test3_replica'} == \
self.get_users(self.replica1)
# reestablish and check replication
self.replica1.run_command(['ipa-replica-manage', 're-initialize',
'--from', self.master.hostname])
# create users to force master and replica to try to replicate
tasks.user_add(self.master, 'test4_master')
tasks.user_add(self.replica1, 'test4_replica')
self.check_replication_success(self.master)
self.check_replication_success(self.replica1)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.master)
assert {'admin', 'test1_master', 'test1_replica',
'test3_master', 'test4_master', 'test4_replica'} == \
self.get_users(self.replica1)
# CA on master should be accesible from master and replica
self.request_test_service_cert(
self.master, cert_sign_request[self.master.hostname])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
# replica should not be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname],
expect_connection_error=True)
finally:
self.master.run_command(['ipactl', 'start'])
tasks.install_ca(self.replica1)
# now replica should be able to sign certificates without CA on master
self.master.run_command(['ipactl', 'stop'])
self.request_test_service_cert(
self.replica1, cert_sign_request[self.replica1.hostname])
self.master.run_command(['ipactl', 'start'])
# check installation of new replica
tasks.install_replica(self.master, self.replica2, setup_ca=True)
check_replication(self.master, self.replica2, "testuser")
# new replica should be able to sign certificates without CA on master
# and old replica
self.master.run_command(['ipactl', 'stop'])
self.replica1.run_command(['ipactl', 'stop'])
try:
self.request_test_service_cert(
self.replica2, cert_sign_request[self.replica2.hostname])
finally:
self.replica1.run_command(['ipactl', 'start'])
self.master.run_command(['ipactl', 'start'])
def test_renew_expired_cert_replica(self, expire_certs):
"""Test renewal of certificates on replica with ipa-cert-fix
This is to check that ipa-cert-fix renews the certificates
on replica
related: https://pagure.io/freeipa/issue/7885
"""
# wait for cert expiry
check_status(self.master, 8, "CA_UNREACHABLE")
self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
check_status(self.master, 9, "MONITORING")
# replica operations
# 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state
cmd = self.replicas[0].run_command([
'getcert', 'list', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n',
'Server-Cert cert-pki-ca'
])
req_id = get_certmonger_fs_id(cmd.stdout_text)
tasks.wait_for_certmonger_status(self.replicas[0], ('CA_UNREACHABLE'),
req_id,
timeout=600)
# get initial expiry date to compare later with renewed cert
initial_expiry = get_cert_expiry(self.replicas[0],
paths.PKI_TOMCAT_ALIAS_DIR,
'Server-Cert cert-pki-ca')
# check that HTTP,LDAP,PKINIT are renewed and in MONITORING state
instance = realm_to_serverid(self.master.domain.realm)
dirsrv_cert = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
for cert in (paths.KDC_CERT, paths.HTTPD_CERT_FILE):
cmd = self.replicas[0].run_command(['getcert', 'list', '-f', cert])
req_id = get_certmonger_fs_id(cmd.stdout_text)
tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'),
req_id,
timeout=600)
cmd = self.replicas[0].run_command(
['getcert', 'list', '-d', dirsrv_cert])
req_id = get_certmonger_fs_id(cmd.stdout_text)
tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'),
req_id,
timeout=600)
# check if replication working fine
testuser = '******'
password = '******'
stdin = (f"{self.master.config.admin_password}\n"
f"{self.master.config.admin_password}\n"
f"{self.master.config.admin_password}\n")
self.master.run_command(['kinit', 'admin'], stdin_text=stdin)
tasks.user_add(self.master, testuser, password=password)
self.replicas[0].run_command(['kinit', 'admin'], stdin_text=stdin)
self.replicas[0].run_command(['ipa', 'user-show', testuser])
# renew shared certificates by resubmitting to certmonger
cmd = self.replicas[0].run_command(
['getcert', 'list', '-f', paths.RA_AGENT_PEM])
req_id = get_certmonger_fs_id(cmd.stdout_text)
if needs_resubmit(self.replicas[0], req_id):
self.replicas[0].run_command(['getcert', 'resubmit', '-i', req_id])
tasks.wait_for_certmonger_status(self.replicas[0], ('MONITORING'),
req_id,
timeout=600)
for cert_nick in ('auditSigningCert cert-pki-ca',
'ocspSigningCert cert-pki-ca',
'subsystemCert cert-pki-ca'):
cmd = self.replicas[0].run_command([
'getcert', 'list', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n',
cert_nick
])
req_id = get_certmonger_fs_id(cmd.stdout_text)
if needs_resubmit(self.replicas[0], req_id):
self.replicas[0].run_command(
['getcert', 'resubmit', '-i', req_id])
tasks.wait_for_certmonger_status(self.replicas[0],
('MONITORING'),
req_id,
timeout=600)
self.replicas[0].run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n')
check_status(self.replicas[0], 9, "MONITORING")
# Sometimes certmonger takes time to update the cert status
# So check in nssdb instead of relying on getcert command
renewed_expiry = get_cert_expiry(self.replicas[0],
paths.PKI_TOMCAT_ALIAS_DIR,
'Server-Cert cert-pki-ca')
assert renewed_expiry > initial_expiry
