def install(cls, mh): super(BaseTestLegacyClient, cls).install(mh) tasks.kinit_admin(cls.master) password_confirmation = ( cls.master.config.admin_password + '\n' + cls.master.config.admin_password ) cls.master.run_command(['ipa', 'user-add', 'disabledipauser', '--first', 'disabled', '--last', 'ipauser', '--password'], stdin_text=password_confirmation) cls.master.run_command(['ipa', 'user-disable', 'disabledipauser']) cls.ad = cls.ad_domains[0].ads[0] cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0]) # Determine whether the subdomain AD is available try: child_ad = cls.host_by_role(cls.optional_extra_roles[0]) cls.ad_subdomain = '.'.join( child_ad.hostname.split('.')[1:]) except LookupError: cls.ad_subdomain = None tasks.apply_common_fixes(cls.legacy_client) for f in cls.backup_files: tasks.backup_file(cls.legacy_client, f)
def install(cls, mh): super(TestRulesWithServicePrincipals, cls).install(mh) master = cls.master tasks.kinit_admin(master) cls.replica = "replica.%s" % master.domain.name master.run_command(['ipa', 'host-add', cls.replica, '--force']) cls.service_name = "svc/%s" % master.hostname cls.replica_service_name = "svc/%s" % cls.replica master.run_command("ipa service-add %s" % cls.service_name) master.run_command("ipa service-add %s --force" % cls.replica_service_name) master.run_command("ipa service-add-host %s --hosts %s" % ( cls.service_name, cls.replica)) master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl) master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl, cls.replica)) master.run_command("ipa caacl-add-service %s --services" " svc/`hostname`" % cls.caacl) master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % ( cls.replica, master.domain.realm, cls.keytab)) master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica)) # Prepare a CSR cls.prepare_config() stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new', '-out', cls.csr], stdin_text=stdin_text)
def install(cls, mh): super(BaseTestLegacyClient, cls).install(mh) tasks.kinit_admin(cls.master) password_confirmation = (cls.master.config.admin_password + '\n' + cls.master.config.admin_password) cls.master.run_command([ 'ipa', 'user-add', 'disabledipauser', '--first', 'disabled', '--last', 'ipauser', '--password' ], stdin_text=password_confirmation) cls.master.run_command(['ipa', 'user-disable', 'disabledipauser']) cls.ad = cls.ad_domains[0].ads[0] cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0]) # Determine whether the subdomain AD is available try: child_ad = cls.host_by_role(cls.optional_extra_roles[0]) cls.ad_subdomain = '.'.join(child_ad.hostname.split('.')[1:]) except LookupError: cls.ad_subdomain = None tasks.apply_common_fixes(cls.legacy_client) for f in cls.backup_files: tasks.backup_file(cls.legacy_client, f)
def test_external_ca(self): # Step 1 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-U', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--setup-dns', '--no-forwarders', '-r', self.master.domain.name, '--external-ca' ]) nss_db = os.path.join(self.master.config.test_dir, 'testdb') external_cert_file = os.path.join(nss_db, 'ipa.crt') external_ca_file = os.path.join(nss_db, 'ca.crt') noisefile = os.path.join(self.master.config.test_dir, 'noise.txt') pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt') # Create noise and password files for NSS database self.master.run_command('date | sha256sum > %s' % noisefile) self.master.run_command('echo %s > %s' % (self.master.config.admin_password, pwdfile)) # Create NSS database self.master.run_command(['mkdir', nss_db]) self.master.run_command( ['certutil', '-N', '-d', nss_db, '-f', pwdfile]) # Create external CA self.master.run_command( [ 'certutil', '-S', '-d', nss_db, '-f', pwdfile, '-n', 'external', '-s', 'CN=External CA, O=%s' % self.master.domain.name, '-x', '-t', 'CTu,CTu,CTu', '-g', '2048', '-m', '0', '-v', '60', '-z', noisefile, '-2', '-1', '-5' ], stdin_text='5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n') # Sign IPA cert request using the external CA self.master.run_command( [ 'certutil', '-C', '-d', nss_db, '-f', pwdfile, '-c', 'external', '-m', '1', '-v', '60', '-2', '-1', '-5', '-i', '/root/ipa.csr', '-o', external_cert_file, '-a' ], stdin_text='0\n1\n5\n9\ny\ny\n\ny\n5\n6\n7\n9\nn\n') # Export external CA file self.master.run_command('certutil -L -d %s -n "external" -a > %s' % (nss_db, external_ca_file)) # Step 2 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--external-cert-file', external_cert_file, '--external-cert-file', external_ca_file ]) # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text
def _full_backup_restore_with_DNS_zone(self, reinstall=False): """backup, uninstall, restore""" with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, ]) tasks.resolve_record(self.master.ip, self.example_test_zone) backup_path = backup(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.resolve_record(self.master.ip, self.example_test_zone) tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, ]) tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_kra_install_master(self): result1 = tasks.install_kra(self.master, first_instance=True, raiseonerr=False) assert result1.returncode == 0, result1.stderr_text tasks.kinit_admin(self.master) result2 = self.master.run_command(["ipa", "vault-find"], raiseonerr=False) found = result2.stdout_text.find("0 vaults matched") assert found > 0, result2.stdout_text
def test_establish_trust(self): """ Tests establishing non-external trust with Active Directory """ self.master.run_command([ 'kinit', '-kt', paths.IPA_KEYTAB, 'HTTP/%s' % self.master.hostname ]) self.master.run_command(['systemctl', 'restart', 'krb5kdc.service']) self.master.run_command(['kdestroy', '-A']) tasks.kinit_admin(self.master) self.master.run_command(['klist']) self.master.run_command(['smbcontrol', 'all', 'debug', '100']) result = self.master.run_command( [ 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin', 'Administrator', '--password', '--range-type', 'ipa-ad-trust' ], stdin_text=self.master.config.ad_admin_password, raiseonerr=False) assert result != 0 assert ("Domain '{0}' is not a root domain".format(self.ad_treedomain) in result.stderr_text)
def install(cls, mh): super(TestRulesWithServicePrincipals, cls).install(mh) master = cls.master tasks.kinit_admin(master) cls.replica = "replica.%s" % master.domain.name master.run_command(['ipa', 'host-add', cls.replica, '--force']) cls.service_name = "svc/%s" % master.hostname cls.replica_service_name = "svc/%s" % cls.replica master.run_command("ipa service-add %s" % cls.service_name) master.run_command("ipa service-add %s --force" % cls.replica_service_name) master.run_command("ipa service-add-host %s --hosts %s" % (cls.service_name, cls.replica)) master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl) master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl, cls.replica)) master.run_command("ipa caacl-add-service %s --services" " svc/`hostname`" % cls.caacl) master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % (cls.replica, master.domain.realm, cls.keytab)) master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica)) # Prepare a CSR cls.prepare_config() stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica master.run_command([ 'openssl', 'req', '-config', cls.csr_conf, '-new', '-out', cls.csr ], stdin_text=stdin_text)
def teardown_method(self, method): self.replicas[0].run_command(['ipa-client-install', '--uninstall', '-U'], raiseonerr=False) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'host-del', self.replicas[0].hostname], raiseonerr=False)
def test_service_as_user_admin(self): """Test that a service in User Administrator role can manage users""" service_name = 'testservice/%s@%s' % (self.master.hostname, self.master.domain.realm) keytab_file = os.path.join(self.master.config.test_dir, 'testservice_keytab') # Prepare a service self.master.run_command(['ipa', 'service-add', service_name]) self.master.run_command([ 'ipa-getkeytab', '-p', service_name, '-k', keytab_file, '-s', self.master.hostname ]) # Check that the service cannot add a user self.master.run_command(['kdestroy']) self.master.run_command( ['kinit', '-k', service_name, '-t', keytab_file]) result = self.master.run_command([ 'ipa', 'role-add-member', 'User Administrator', '--service', service_name ], raiseonerr=False) assert result.returncode > 0 # Add service to User Administrator role self.master.run_command(['kdestroy']) tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'role-add-member', 'User Administrator', '--service', service_name ]) # Check that the service now can add a user self.master.run_command(['kdestroy']) self.master.run_command( ['kinit', '-k', service_name, '-t', keytab_file]) self.master.run_command([ 'ipa', 'user-add', 'tuser', '--first', 'a', '--last', 'b', '--random' ]) # Clean up self.master.run_command(['kdestroy']) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'service-del', service_name]) self.master.run_command(['ipa', 'user-del', 'tuser'])
def test_kra_install_master(self): result1 = tasks.install_kra(self.master, first_instance=True, raiseonerr=False) assert result1.returncode == 0, result1.stderr_text tasks.kinit_admin(self.master) result2 = self.master.run_command(["ipa", "vault-find"], raiseonerr=False) found = result2.stdout_text.find("0 vaults matched") assert (found > 0), result2.stdout_text
def run_advice(master, advice_id, advice_regex, raiseerr): # Obtain the advice from the server tasks.kinit_admin(master) result = master.run_command(['ipa-advise', advice_id], raiseonerr=raiseerr) if not result.stdout_text: advice = result.stderr_text else: advice = result.stdout_text assert re.search(advice_regex, advice, re.S)
def test_service_as_user_admin(self): """Test that a service in User Administrator role can manage users""" service_name = 'testservice/%s@%s' % (self.master.hostname, self.master.domain.realm) keytab_file = os.path.join(self.master.config.test_dir, 'testservice_keytab') # Prepare a service self.master.run_command(['ipa', 'service-add', service_name]) self.master.run_command(['ipa-getkeytab', '-p', service_name, '-k', keytab_file, '-s', self.master.hostname]) # Check that the service cannot add a user self.master.run_command(['kdestroy']) self.master.run_command(['kinit', '-k', service_name, '-t', keytab_file]) result = self.master.run_command(['ipa', 'role-add-member', 'User Administrator', '--service', service_name], raiseonerr=False) assert result.returncode > 0 # Add service to User Administrator role self.master.run_command(['kdestroy']) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'role-add-member', 'User Administrator', '--service', service_name]) # Check that the service now can add a user self.master.run_command(['kdestroy']) self.master.run_command(['kinit', '-k', service_name, '-t', keytab_file]) self.master.run_command(['ipa', 'user-add', 'tuser', '--first', 'a', '--last', 'b', '--random']) # Clean up self.master.run_command(['kdestroy']) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'service-del', service_name]) self.master.run_command(['ipa', 'user-del', 'tuser'])
def test_service_access(self): """ Test that user is granted access when authenticated using credentials that are sufficient for a service, and denied access when using insufficient credentials""" service_name = 'testservice/%s@%s' % (self.master.hostname, self.master.domain.realm) keytab_file = os.path.join(self.master.config.test_dir, 'testservice_keytab') # Prepare a service without authentication indicator self.master.run_command(['ipa', 'service-add', service_name]) self.master.run_command(['ipa-getkeytab', '-p', service_name, '-k', keytab_file]) # Set authentication-type for admin user self.master.run_command(['ipa', 'user-mod', 'admin', '--user-auth-type=password', '--user-auth-type=otp']) # Authenticate self.master.run_command(['kinit', '-k', service_name, '-t', keytab_file]) # Verify access to service is granted result = self.master.run_command(['kvno', service_name], raiseonerr=False) assert result.returncode == 0 # Obtain admin ticket to be able to update service tasks.kinit_admin(self.master) # Modify service to have authentication indicator self.master.run_command(['ipa', 'service-mod', service_name, '--auth-ind=otp']) self.master.run_command(['ipa-getkeytab', '-p', service_name, '-k', keytab_file]) # Authenticate self.master.run_command(['kinit', '-k', service_name, '-t', keytab_file]) # Verify access to service is rejected result = self.master.run_command(['kvno', service_name], raiseonerr=False) assert result.returncode > 0
def test_replica_after_domain_upgrade(self): tasks.kinit_admin(self.master) tasks.kinit_admin(self.replicas[0]) self.master.run_command(["ipa", "user-add", self.username, "--first", "test", "--last", "user"]) tasks.wait_for_replication(self.replicas[0].ldap_connect()) self.master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)]) result = self.replicas[0].run_command(["ipa", "user-show", self.username]) assert ( "User login: %s" % self.username in result.stdout_text ), "A testuser was not found on replica after domain upgrade" self.replicas[0].run_command(["ipa", "user-del", self.username]) tasks.wait_for_replication(self.master.ldap_connect()) result1 = self.master.run_command(["ipa", "user-show", self.username], raiseonerr=False) assert_error(result1, "%s: user not found" % self.username, 2)
def test_apply_advice(self): # Obtain the advice from the server tasks.kinit_admin(self.master) result = self.master.run_command(['ipa-advise', self.advice_id]) advice = result.stdout_text # Apply the advice on the legacy client advice_path = os.path.join(self.legacy_client.config.test_dir, 'advice.sh') self.legacy_client.put_file_contents(advice_path, advice) result = self.legacy_client.run_command(['bash', '-x', '-e', advice_path]) # Restart SSHD to load new PAM configuration self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
def restore_checker(host): """Check that the IPA at host works the same at context enter and exit""" tasks.kinit_admin(host) results = [] for check, assert_func in CHECKS: log.info('Storing result for %s', check) results.append(check(host)) yield for (check, assert_func), expected in zip(CHECKS, results): log.info('Checking result for %s', check) got = check(host) assert_func(expected, got)
def test_apply_advice(self): # Obtain the advice from the server tasks.kinit_admin(self.master) result = self.master.run_command(['ipa-advise', self.advice_id]) advice = result.stdout_text # Apply the advice on the legacy client advice_path = os.path.join(self.legacy_client.config.test_dir, 'advice.sh') self.legacy_client.put_file_contents(advice_path, advice) result = self.legacy_client.run_command( ['bash', '-x', '-e', advice_path]) # Restart SSHD to load new PAM configuration self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
def install(cls, mh): cls.username = "******" tasks.install_master(cls.master, domain_level=cls.domain_level) password = cls.master.config.dirman_password cls.new_password = "******" adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password) user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password, cls.new_password) tasks.kinit_admin(cls.master) cls.master.run_command( ["ipa", "user-add", cls.username, "--password", "--first", "John", "--last", "Donn"], stdin_text=adduser_stdin_text, ) # Now we need to change the password for the user cls.master.run_command(["kinit", cls.username], stdin_text=user_kinit_stdin_text) # And again kinit admin tasks.kinit_admin(cls.master)
def test_add_remove_segment(self): """ Make sure a topology segment can be manually created and deleted with the influence on the real topology Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case:_Basic_CRUD_test """ tasks.kinit_admin(self.master) # Install the second replica tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # turn a star into a ring segment, err = tasks.create_segment(self.master, self.replicas[0], self.replicas[1]) assert err == "", err # Make sure the new segment is shown by `ipa topologysegment-find` result1 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert (segment['name'] in result1), ("%s: segment not found" % segment['name']) # Remove master <-> replica2 segment and make sure that the changes get # there through replica1 # Since segment name can be one of master-to-replica2 or # replica2-to-master, we need to determine the segment name dynamically deleteme = find_segment(self.master, self.replicas[1]) returncode, error = tasks.destroy_segment(self.master, deleteme) assert returncode == 0, error # Wait till replication ends and make sure replica1 does not have # segment that was deleted on master replica1_ldap = self.replicas[0].ldap_connect() tasks.wait_for_replication(replica1_ldap) result3 = self.replicas[0].run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert (deleteme not in result3), "%s: segment still exists" % deleteme # Create test data on master and make sure it gets all the way down to # replica2 through replica1 self.master.run_command([ 'ipa', 'user-add', 'someuser', '--first', 'test', '--last', 'user' ]) dest_ldap = self.replicas[1].ldap_connect() tasks.wait_for_replication(dest_ldap) result4 = self.replicas[1].run_command(['ipa', 'user-find']) assert ('someuser' in result4.stdout_text), 'User not found: someuser'
def test_add_remove_segment(self): """ Make sure a topology segment can be manually created and deleted with the influence on the real topology Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case:_Basic_CRUD_test """ tasks.kinit_admin(self.master) # Install the second replica tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # turn a star into a ring segment, err = tasks.create_segment(self.master, self.replicas[0], self.replicas[1]) assert err == "", err # Make sure the new segment is shown by `ipa topologysegment-find` result1 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert(segment['name'] in result1), ( "%s: segment not found" % segment['name']) # Remove master <-> replica2 segment and make sure that the changes get # there through replica1 # Since segment name can be one of master-to-replica2 or # replica2-to-master, we need to determine the segment name dynamically deleteme = find_segment(self.master, self.replicas[1]) returncode, error = tasks.destroy_segment(self.master, deleteme) assert returncode == 0, error # Wait till replication ends and make sure replica1 does not have # segment that was deleted on master replica1_ldap = self.replicas[0].ldap_connect() tasks.wait_for_replication(replica1_ldap) result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert(deleteme not in result3), "%s: segment still exists" % deleteme # Create test data on master and make sure it gets all the way down to # replica2 through replica1 self.master.run_command(['ipa', 'user-add', 'someuser', '--first', 'test', '--last', 'user']) dest_ldap = self.replicas[1].ldap_connect() tasks.wait_for_replication(dest_ldap) result4 = self.replicas[1].run_command(['ipa', 'user-find']) assert('someuser' in result4.stdout_text), 'User not found: someuser'
def _full_backup_restore_with_vault(self, reinstall=False): with restore_checker(self.master): # create vault self.master.run_command([ "ipa", "vault-add", self.vault_name, "--password", self.vault_password, "--type", "symmetric", ]) # archive secret self.master.run_command([ "ipa", "vault-archive", self.vault_name, "--password", self.vault_password, "--data", self.vault_data, ]) # retrieve secret self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ]) backup_path = backup(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.kinit_admin(self.master) # retrieve secret after restore self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ])
def install(cls, mh): cls.username = '******' tasks.install_master(cls.master, domain_level=cls.domain_level) password = cls.master.config.dirman_password cls.new_password = '******' adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password) user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password, cls.new_password) tasks.kinit_admin(cls.master) cls.master.run_command(['ipa', 'user-add', cls.username, '--password', '--first', 'John', '--last', 'Donn'], stdin_text=adduser_stdin_text) # Now we need to change the password for the user cls.master.run_command(['kinit', cls.username], stdin_text=user_kinit_stdin_text) # And again kinit admin tasks.kinit_admin(cls.master)
def test_invalid_range_types(self): invalid_range_types = ['ipa-local', 'ipa-ad-winsync', 'ipa-ipa-trust', 'random-invalid', 're@ll%ybad12!'] for range_type in invalid_range_types: tasks.kinit_admin(self.master) result = self.master.run_command( ['ipa', 'trust-add', '--type', 'ad', self.ad_domain, '--admin', 'Administrator', '--range-type', range_type, '--password'], raiseonerr=False, stdin_text=self.master.config.ad_admin_password) # The trust-add command is supposed to fail assert result.returncode == 1
def test_topology_updated_on_replica_install_remove(self): """ Install and remove a replica and make sure topology information is updated on all other replicas Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case: _Replication_topology_should_be_saved_in_the_LDAP_tree """ tasks.kinit_admin(self.master) result1 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text first_segment_name = "%s-to-%s" % (self.master.hostname, self.replicas[0].hostname) expected_segment = { 'connectivity': 'both', 'leftnode': self.master.hostname, 'name': first_segment_name, 'rightnode': self.replicas[0].hostname} firstsegment = self.tokenize_topologies(result1)[0] assert_deepequal(expected_segment, firstsegment) tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # We need to make sure topology information is consistent across all # replicas result2 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) segments = self.tokenize_topologies(result2.stdout_text) assert(len(segments) == 2), "Unexpected number of segments found" assert_deepequal(result2.stdout_text, result3.stdout_text) assert_deepequal(result3.stdout_text, result4.stdout_text) # Now let's check that uninstalling the replica will update the topology # info on the rest of replicas. tasks.uninstall_master(self.replicas[1]) tasks.clean_replication_agreement(self.master, self.replicas[1]) result5 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) num_entries = self.noentries_re.search(result5.stdout_text).group(1) assert(num_entries == "1"), "Incorrect number of entries displayed"
def test_replica_after_domain_upgrade(self): tasks.kinit_admin(self.master) tasks.kinit_admin(self.replicas[0]) self.master.run_command([ 'ipa', 'user-add', self.username, '--first', 'test', '--last', 'user' ]) tasks.wait_for_replication(self.replicas[0].ldap_connect()) self.master.run_command( ['ipa', 'domainlevel-set', str(DOMAIN_LEVEL_1)]) result = self.replicas[0].run_command( ['ipa', 'user-show', self.username]) assert ("User login: %s" % self.username in result.stdout_text), ( "A testuser was not found on replica after domain upgrade") self.replicas[0].run_command(['ipa', 'user-del', self.username]) tasks.wait_for_replication(self.master.ldap_connect()) result1 = self.master.run_command(['ipa', 'user-show', self.username], raiseonerr=False) assert_error(result1, "%s: user not found" % self.username, 2)
def install(cls, mh): cls.username = '******' tasks.install_master(cls.master, domain_level=cls.domain_level) password = cls.master.config.dirman_password cls.new_password = '******' adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password) user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password, cls.new_password) tasks.kinit_admin(cls.master) cls.master.run_command([ 'ipa', 'user-add', cls.username, '--password', '--first', 'John', '--last', 'Donn' ], stdin_text=adduser_stdin_text) # Now we need to change the password for the user cls.master.run_command(['kinit', cls.username], stdin_text=user_kinit_stdin_text) # And again kinit admin tasks.kinit_admin(cls.master)
def test_establish_trust(self): """ Tests establishing non-external trust with Active Directory """ self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB, 'HTTP/%s' % self.master.hostname]) self.master.run_command(['systemctl', 'restart', 'krb5kdc.service']) self.master.run_command(['kdestroy', '-A']) tasks.kinit_admin(self.master) self.master.run_command(['klist']) self.master.run_command(['smbcontrol', 'all', 'debug', '100']) result = self.master.run_command([ 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin', 'Administrator', '--password', '--range-type', 'ipa-ad-trust' ], stdin_text=self.master.config.ad_admin_password, raiseonerr=False) assert result != 0 assert ("Domain '{0}' is not a root domain".format( self.ad_treedomain) in result.stderr_text)
def test_topology_updated_on_replica_install_remove(self): """ Install and remove a replica and make sure topology information is updated on all other replicas Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case: _Replication_topology_should_be_saved_in_the_LDAP_tree """ tasks.kinit_admin(self.master) result1 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) first_segment_name = "%s-to-%s" % (self.master.hostname, self.replicas[0].hostname) output1 = result1.stdout_text firstsegment = self.tokenize_topologies(output1)[0] assert(firstsegment['name'] == first_segment_name) assert(self.noentries_re.search(output1).group(1) == "1") assert(firstsegment['leftnode'] == self.master.hostname) assert(firstsegment['rightnode'] == self.replicas[0].hostname) tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # We need to make sure topology information is consistent across all # replicas result2 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) segments = self.tokenize_topologies(result2.stdout_text) assert(len(segments) == 2) assert(result2.stdout_text == result3.stdout_text) assert(result3.stdout_text == result4.stdout_text) # Now let's check that uninstalling the replica will update the topology # info on the rest of replicas. tasks.uninstall_master(self.replicas[1]) tasks.clean_replication_agreement(self.master, self.replicas[1]) result5 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) assert(self.noentries_re.search(result5.stdout_text).group(1) == "1")
def test_topology_updated_on_replica_install_remove(self): """ Install and remove a replica and make sure topology information is updated on all other replicas Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case: _Replication_topology_should_be_saved_in_the_LDAP_tree """ tasks.kinit_admin(self.master) result1 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text segment_name = self.segmentnames_re.findall(result1)[0] assert (self.master.hostname in segment_name), ( "Segment %s does not contain master hostname" % segment_name) assert (self.replicas[0].hostname in segment_name), ( "Segment %s does not contain replica hostname" % segment_name) tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # We need to make sure topology information is consistent across all # replicas result2 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result3 = self.replicas[0].run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result4 = self.replicas[1].run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) segments = self.tokenize_topologies(result2.stdout_text) assert (len(segments) == 2), "Unexpected number of segments found" assert_deepequal(result2.stdout_text, result3.stdout_text) assert_deepequal(result3.stdout_text, result4.stdout_text) # Now let's check that uninstalling the replica will update the topology # info on the rest of replicas. tasks.uninstall_master(self.replicas[1]) tasks.clean_replication_agreement(self.master, self.replicas[1]) result5 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) num_entries = self.noentries_re.search(result5.stdout_text).group(1) assert (num_entries == "1"), "Incorrect number of entries displayed"
def test_add_remove_segment(self): """ Make sure a topology segment can be manually created and deleted with the influence on the real topology Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case:_Basic_CRUD_test """ tasks.kinit_admin(self.master) # Install the second replica tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # turn a star into a ring segment, err = tasks.create_segment(self.master, self.replicas[0], self.replicas[1]) assert err == "", err # Make sure the new segment is shown by `ipa topologysegment-find` result1 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) assert(result1.stdout_text.find(segment['name']) > 0) # Remove master <-> replica2 segment and make sure that the changes get # there through replica1 deleteme = "%s-to-%s" % (self.master.hostname, self.replicas[1].hostname) returncode, error = tasks.destroy_segment(self.master, deleteme) assert returncode == 0, error # make sure replica1 does not have segment that was deleted on master result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) assert(result3.stdout_text.find(deleteme) < 0) # Create test data on master and make sure it gets all the way down to # replica2 through replica1 self.master.run_command(['ipa', 'user-add', 'someuser', '--first', 'test', '--last', 'user']) time.sleep(60) # replication requires some time users_on_replica2 = self.replicas[1].run_command(['ipa', 'user-find']) assert(users_on_replica2.find('someuser') > 0)
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False): with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, '--dnssec', 'true', ]) assert wait_until_record_is_signed(self.master.ip, self.example_test_zone, self.log), "Zone is not signed" backup_path = backup(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') assert wait_until_record_is_signed(self.master.ip, self.example_test_zone, self.log), ("Zone is not signed after " "restore") tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, '--dnssec', 'true', ]) assert wait_until_record_is_signed(self.master.ip, self.example2_test_zone, self.log), "A new zone is not signed"
def rekinit(self): self.master.run_command(['kdestroy']) tasks.kinit_admin(self.master)
def test_external_ca(self): # Step 1 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-U', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--setup-dns', '--no-forwarders', '-r', self.master.domain.name, '--external-ca' ]) nss_db = os.path.join(self.master.config.test_dir, 'testdb') external_cert_file = os.path.join(nss_db, 'ipa.crt') external_ca_file = os.path.join(nss_db, 'ca.crt') noisefile = os.path.join(self.master.config.test_dir, 'noise.txt') pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt') # Create noise and password files for NSS database self.master.run_command('date | sha256sum > %s' % noisefile) self.master.run_command('echo %s > %s' % (self.master.config.admin_password, pwdfile)) # Create NSS database self.master.run_command(['mkdir', nss_db]) self.master.run_command([ 'certutil', '-N', '-d', nss_db, '-f', pwdfile ]) # Create external CA self.master.run_command([ 'certutil', '-S', '-d', nss_db, '-f', pwdfile, '-n', 'external', '-s', 'CN=External CA, O=%s' % self.master.domain.name, '-x', '-t', 'CTu,CTu,CTu', '-g', '2048', '-m', '0', '-v', '60', '-z', noisefile, '-2', '-1', '-5' ], stdin_text='5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n') # Sign IPA cert request using the external CA self.master.run_command([ 'certutil', '-C', '-d', nss_db, '-f', pwdfile, '-c', 'external', '-m', '1', '-v', '60', '-2', '-1', '-5', '-i', '/root/ipa.csr', '-o', external_cert_file, '-a' ], stdin_text='0\n1\n5\n9\ny\ny\n\ny\n5\n6\n7\n9\nn\n') # Export external CA file self.master.run_command( 'certutil -L -d %s -n "external" -a > %s' % (nss_db, external_ca_file) ) # Step 2 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--external_cert_file', external_cert_file, '--external_ca_file', external_ca_file ]) # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text
def teardown_method(self, method): self.replicas[0].run_command(["ipa-client-install", "--uninstall", "-U"], raiseonerr=False) tasks.kinit_admin(self.master) self.master.run_command(["ipa", "host-del", self.replicas[0].hostname], raiseonerr=False)
def test_http_kdc_proxy_works(self): result = tasks.kinit_admin(self.clients[0], raiseonerr=False) assert (result.returncode == 0), ( "Unable to kinit using KdcProxy: %s" % result.stderr_text)
def test_http_kdc_proxy_works(self): result = tasks.kinit_admin(self.clients[0], raiseonerr=False) assert(result.returncode == 0), ( "Unable to kinit using KdcProxy: %s" % result.stderr_text )
def teardown_method(self, method): self.replicas[0].run_command( ['ipa-client-install', '--uninstall', '-U'], raiseonerr=False) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'host-del', self.replicas[0].hostname], raiseonerr=False)