def test_add_permission_failure_issue5923(self): # https://pagure.io/freeipa/issue/5923 # error response used to contain bytes instead of text tasks.kinit_admin(self.master) # neither privilege nor permission exists result = self.master.run_command([ "ipa", "privilege-add-permission", "loc", "--permission='System: Show IPA Locations" ], raiseonerr=False) assert result.returncode == 2 err = result.stderr_text.strip() # pylint: disable=no-member assert err == "ipa: ERROR: loc: privilege not found" # add privilege result = self.master.run_command(["ipa", "privilege-add", "loc"], ) assert 'Added privilege "loc"' in result.stdout_text # permission is still missing result = self.master.run_command([ "ipa", "privilege-add-permission", "loc", "--permission='System: Show IPA Locations" ], raiseonerr=False) assert result.returncode == 1 assert "Number of permissions added 0" in result.stdout_text
def install(cls, mh): super(TestRulesWithServicePrincipals, cls).install(mh) master = cls.master tasks.kinit_admin(master) cls.replica = "replica.%s" % master.domain.name master.run_command(['ipa', 'host-add', cls.replica, '--force']) cls.service_name = "svc/%s" % master.hostname cls.replica_service_name = "svc/%s" % cls.replica master.run_command("ipa service-add %s" % cls.service_name) master.run_command("ipa service-add %s --force" % cls.replica_service_name) master.run_command("ipa service-add-host %s --hosts %s" % (cls.service_name, cls.replica)) master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl) master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl, cls.replica)) master.run_command("ipa caacl-add-service %s --services" " svc/`hostname`" % cls.caacl) master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % (cls.replica, master.domain.realm, cls.keytab)) master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica)) # Prepare a CSR cls.prepare_config() stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica master.run_command([ 'openssl', 'req', '-config', cls.csr_conf, '-new', '-out', cls.csr ], stdin_text=stdin_text)
def _full_backup_restore_with_DNS_zone(self, reinstall=False): """backup, uninstall, restore""" with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, ]) tasks.resolve_record(self.master.ip, self.example_test_zone) backup_path = backup(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.resolve_record(self.master.ip, self.example_test_zone) tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, ]) tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_stageuser_show_as_alternate_admin(self): """ Test that a user member of admins group can call stageuser-show and read the 'Kerberos Keys available' information. This is a test case for issue 7342 """ # kinit admin tasks.kinit_admin(self.master) # Create a new stage user 'stageuser' with a password stageuser = '******' password = '******' stageuser_password_confirmation = "%s\n%s\n" % (password, password) self.master.run_command(['ipa', 'stageuser-add', stageuser, '--first', stageuser, '--last', stageuser, '--password'], stdin_text=stageuser_password_confirmation) # kinit as altadmin self.master.run_command(['kinit', self.altadmin], stdin_text=self.master.config.admin_password) # call ipa stageuser-show # the field Kerberos Keys available must contain True result = self.master.run_command(['ipa', 'stageuser-show', stageuser]) assert 'Kerberos keys available: True' in result.stdout_text
def test_delete_preserve_as_alternate_admin(self): """ Test that a user member of admins group can call delete --preserve. This is a test case for issue 7342 """ # kinit admin tasks.kinit_admin(self.master) # Create a new user 'testuser' with a password testuser = '******' password = '******' testuser_password_confirmation = "%s\n%s\n" % (password, password) self.master.run_command(['ipa', 'user-add', testuser, '--first', testuser, '--last', testuser, '--password'], stdin_text=testuser_password_confirmation) # kinit as altadmin self.master.run_command(['kinit', self.altadmin], stdin_text=self.master.config.admin_password) # call ipa user-del --preserve self.master.run_command(['ipa', 'user-del', '--preserve', testuser])
def test_delete_preserve_as_alternate_admin(self): """ Test that a user member of admins group can call delete --preserve. This is a test case for issue 7342 """ # kinit admin tasks.kinit_admin(self.master) # Create a new user 'testuser' with a password testuser = '******' password = '******' testuser_password_confirmation = "%s\n%s\n" % (password, password) self.master.run_command(['ipa', 'user-add', testuser, '--first', testuser, '--last', testuser, '--password'], stdin_text=testuser_password_confirmation) # kinit as altadmin self.master.run_command(['kinit', self.altadmin], stdin_text=self.master.config.admin_password) # call ipa user-del --preserve self.master.run_command(['ipa', 'user-del', '--preserve', testuser])
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1(self.master) assert result.returncode == 0 # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2( self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = self.master.run_command([ 'ldapsearch', '-x', '-D', 'cn=directory manager', '-w', self.master.config.dirman_password, '-b', 'cn=mapping tree,cn=config', '(cn=replica)', '-LLL', '-o', 'ldif-wrap=no']) assert 'nsds5ReplicaReleaseTimeout: 60' in result.stdout_text
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1(self.master) assert result.returncode == 0 # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text # check that we can also install replica tasks.install_replica(self.master, self.replicas[0]) # check that nsds5ReplicaReleaseTimeout option was set result = self.master.run_command([ 'ldapsearch', '-x', '-D', 'cn=directory manager', '-w', self.master.config.dirman_password, '-b', 'cn=mapping tree,cn=config', '(cn=replica)', '-LLL', '-o', 'ldif-wrap=no' ]) # case insensitive match text = result.stdout_text.lower() # see ipaserver.install.replication.REPLICA_FINAL_SETTINGS assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_stageuser_show_as_alternate_admin(self): """ Test that a user member of admins group can call stageuser-show and read the 'Kerberos Keys available' information. This is a test case for issue 7342 """ # kinit admin tasks.kinit_admin(self.master) # Create a new stage user 'stageuser' with a password stageuser = '******' password = '******' stageuser_password_confirmation = "%s\n%s\n" % (password, password) self.master.run_command(['ipa', 'stageuser-add', stageuser, '--first', stageuser, '--last', stageuser, '--password'], stdin_text=stageuser_password_confirmation) # kinit as altadmin self.master.run_command(['kinit', self.altadmin], stdin_text=self.master.config.admin_password) # call ipa stageuser-show # the field Kerberos Keys available must contain True result = self.master.run_command(['ipa', 'stageuser-show', stageuser]) assert 'Kerberos keys available: True' in result.stdout_text
def test_establish_trust(self): """ Tests establishing non-external trust with Active Directory """ self.master.run_command([ 'kinit', '-kt', paths.HTTP_KEYTAB, 'HTTP/%s' % self.master.hostname ]) self.master.run_command(['systemctl', 'restart', 'krb5kdc.service']) self.master.run_command(['kdestroy', '-A']) tasks.kinit_admin(self.master) self.master.run_command(['klist']) self.master.run_command(['smbcontrol', 'all', 'debug', '100']) result = self.master.run_command( [ 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin', 'Administrator', '--password', '--range-type', 'ipa-ad-trust' ], stdin_text=self.master.config.ad_admin_password, raiseonerr=False) assert result != 0 assert ("Domain '{0}' is not a root domain".format(self.ad_treedomain) in result.stderr_text)
def test_external_ca(self): # Step 1 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-U', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--setup-dns', '--no-forwarders', '-n', self.master.domain.name, '-r', self.master.domain.realm, '--domain-level=%i' % self.master.config.domain_level, '--external-ca' ]) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--external-cert-file', ipa_ca_fname, '--external-cert-file', root_ca_fname ]) # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text
def test_add_permission_failure_issue5923(self): # https://pagure.io/freeipa/issue/5923 # error response used to contain bytes instead of text tasks.kinit_admin(self.master) # neither privilege nor permission exists result = self.master.run_command( ["ipa", "privilege-add-permission", "loc", "--permission='System: Show IPA Locations"], raiseonerr=False ) assert result.returncode == 2 err = result.stderr_text.strip() # pylint: disable=no-member assert err == "ipa: ERROR: loc: privilege not found" # add privilege result = self.master.run_command( ["ipa", "privilege-add", "loc"], ) assert 'Added privilege "loc"' in result.stdout_text # permission is still missing result = self.master.run_command( ["ipa", "privilege-add-permission", "loc", "--permission='System: Show IPA Locations"], raiseonerr=False ) assert result.returncode == 1 assert "Number of permissions added 0" in result.stdout_text
def install(cls, mh): super(TestRulesWithServicePrincipals, cls).install(mh) master = cls.master tasks.kinit_admin(master) cls.replica = "replica.%s" % master.domain.name master.run_command(['ipa', 'host-add', cls.replica, '--force']) cls.service_name = "svc/%s" % master.hostname cls.replica_service_name = "svc/%s" % cls.replica master.run_command("ipa service-add %s" % cls.service_name) master.run_command("ipa service-add %s --force" % cls.replica_service_name) master.run_command("ipa service-add-host %s --hosts %s" % ( cls.service_name, cls.replica)) master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl) master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl, cls.replica)) master.run_command("ipa caacl-add-service %s --services" " svc/`hostname`" % cls.caacl) master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % ( cls.replica, master.domain.realm, cls.keytab)) master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica)) # Prepare a CSR cls.prepare_config() stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new', '-out', cls.csr], stdin_text=stdin_text)
def _full_backup_restore_with_DNS_zone(self, reinstall=False): """backup, uninstall, restore""" with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, ]) tasks.resolve_record(self.master.ip, self.example_test_zone) backup_path = backup(self.master) self.master.run_command( ['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.resolve_record(self.master.ip, self.example_test_zone) tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, ]) tasks.resolve_record(self.master.ip, self.example2_test_zone)
def teardown_method(self, method): self.replicas[0].run_command(['ipa-client-install', '--uninstall', '-U'], raiseonerr=False) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'host-del', self.replicas[0].hostname], raiseonerr=False)
def teardown_method(self, method): self.replicas[0].run_command(['ipa-client-install', '--uninstall', '-U'], raiseonerr=False) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'host-del', self.replicas[0].hostname], raiseonerr=False)
def test_service_as_user_admin(self): """Test that a service in User Administrator role can manage users""" service_name = 'testservice/%s@%s' % (self.master.hostname, self.master.domain.realm) keytab_file = os.path.join(self.master.config.test_dir, 'testservice_keytab') # Prepare a service self.master.run_command(['ipa', 'service-add', service_name]) self.master.run_command([ 'ipa-getkeytab', '-p', service_name, '-k', keytab_file, '-s', self.master.hostname ]) # Check that the service cannot add a user self.master.run_command(['kdestroy']) self.master.run_command( ['kinit', '-k', service_name, '-t', keytab_file]) result = self.master.run_command([ 'ipa', 'role-add-member', 'User Administrator', '--service', service_name ], raiseonerr=False) assert result.returncode > 0 # Add service to User Administrator role self.master.run_command(['kdestroy']) tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'role-add-member', 'User Administrator', '--service', service_name ]) # Check that the service now can add a user self.master.run_command(['kdestroy']) self.master.run_command( ['kinit', '-k', service_name, '-t', keytab_file]) self.master.run_command([ 'ipa', 'user-add', 'tuser', '--first', 'a', '--last', 'b', '--random' ]) # Clean up self.master.run_command(['kdestroy']) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'service-del', service_name]) self.master.run_command(['ipa', 'user-del', 'tuser'])
def teardown_method(self, method): if len(config.domains) == 0: # No YAML config was set return self.replicas[0].run_command( ['ipa-client-install', '--uninstall', '-U'], raiseonerr=False) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'host-del', self.replicas[0].hostname], raiseonerr=False)
def test_kra_install_master(self): result1 = tasks.install_kra(self.master, first_instance=True, raiseonerr=False) assert result1.returncode == 0, result1.stderr_text tasks.kinit_admin(self.master) result2 = self.master.run_command(["ipa", "vault-find"], raiseonerr=False) found = result2.stdout_text.find("0 vaults matched") assert (found > 0), result2.stdout_text
def test_kra_install_master(self): result1 = tasks.install_kra(self.master, first_instance=True, raiseonerr=False) assert result1.returncode == 0, result1.stderr_text tasks.kinit_admin(self.master) result2 = self.master.run_command(["ipa", "vault-find"], raiseonerr=False) found = result2.stdout_text.find("0 vaults matched") assert(found > 0), result2.stdout_text
def test_service_as_user_admin(self): """Test that a service in User Administrator role can manage users""" service_name = 'testservice/%s@%s' % (self.master.hostname, self.master.domain.realm) keytab_file = os.path.join(self.master.config.test_dir, 'testservice_keytab') # Prepare a service self.master.run_command(['ipa', 'service-add', service_name]) self.master.run_command(['ipa-getkeytab', '-p', service_name, '-k', keytab_file, '-s', self.master.hostname]) # Check that the service cannot add a user self.master.run_command(['kdestroy']) self.master.run_command(['kinit', '-k', service_name, '-t', keytab_file]) result = self.master.run_command(['ipa', 'role-add-member', 'User Administrator', '--service', service_name], raiseonerr=False) assert result.returncode > 0 # Add service to User Administrator role self.master.run_command(['kdestroy']) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'role-add-member', 'User Administrator', '--service', service_name]) # Check that the service now can add a user self.master.run_command(['kdestroy']) self.master.run_command(['kinit', '-k', service_name, '-t', keytab_file]) self.master.run_command(['ipa', 'user-add', 'tuser', '--first', 'a', '--last', 'b', '--random']) # Clean up self.master.run_command(['kdestroy']) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'service-del', service_name]) self.master.run_command(['ipa', 'user-del', 'tuser'])
def teardown_method(self, method): if len(config.domains) == 0: # No YAML config was set return self.replicas[0].run_command(['ipa-client-install', '--uninstall', '-U'], raiseonerr=False) tasks.kinit_admin(self.master) self.master.run_command(['ipa', 'host-del', self.replicas[0].hostname], raiseonerr=False)
def run_advice(master, advice_id, advice_regex, raiseerr): # Obtain the advice from the server tasks.kinit_admin(master) result = master.run_command(['ipa-advise', advice_id], raiseonerr=raiseerr) if not result.stdout_text: advice = result.stderr_text else: advice = result.stdout_text assert re.search(advice_regex, advice, re.S)
def _full_backup_restore_with_vault(self, reinstall=False): with restore_checker(self.master): # create vault self.master.run_command([ "ipa", "vault-add", self.vault_name, "--password", self.vault_password, "--type", "symmetric", ]) # archive secret self.master.run_command([ "ipa", "vault-archive", self.vault_name, "--password", self.vault_password, "--data", self.vault_data, ]) # retrieve secret self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ]) backup_path = backup(self.master) self.master.run_command( ['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.kinit_admin(self.master) # retrieve secret after restore self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ])
def run_advice(master, advice_id, advice_regex, raiseerr): # Obtain the advice from the server tasks.kinit_admin(master) result = master.run_command(['ipa-advise', advice_id], raiseonerr=raiseerr) if not result.stdout_text: advice = result.stderr_text else: advice = result.stdout_text assert re.search(advice_regex, advice, re.S)
def test_service_access(self): """ Test that user is granted access when authenticated using credentials that are sufficient for a service, and denied access when using insufficient credentials""" service_name = 'testservice/%s@%s' % (self.master.hostname, self.master.domain.realm) keytab_file = os.path.join(self.master.config.test_dir, 'testservice_keytab') # Prepare a service without authentication indicator self.master.run_command(['ipa', 'service-add', service_name]) self.master.run_command(['ipa-getkeytab', '-p', service_name, '-k', keytab_file]) # Set authentication-type for admin user self.master.run_command(['ipa', 'user-mod', 'admin', '--user-auth-type=password', '--user-auth-type=otp']) # Authenticate self.master.run_command(['kinit', '-k', service_name, '-t', keytab_file]) # Verify access to service is granted result = self.master.run_command(['kvno', service_name], raiseonerr=False) assert result.returncode == 0 # Obtain admin ticket to be able to update service tasks.kinit_admin(self.master) # Modify service to have authentication indicator self.master.run_command(['ipa', 'service-mod', service_name, '--auth-ind=otp']) self.master.run_command(['ipa-getkeytab', '-p', service_name, '-k', keytab_file]) # Authenticate self.master.run_command(['kinit', '-k', service_name, '-t', keytab_file]) # Verify access to service is rejected result = self.master.run_command(['kvno', service_name], raiseonerr=False) assert result.returncode > 0
def test_service_access(self): """ Test that user is granted access when authenticated using credentials that are sufficient for a service, and denied access when using insufficient credentials""" service_name = 'testservice/%s@%s' % (self.master.hostname, self.master.domain.realm) keytab_file = os.path.join(self.master.config.test_dir, 'testservice_keytab') # Prepare a service without authentication indicator self.master.run_command(['ipa', 'service-add', service_name]) self.master.run_command( ['ipa-getkeytab', '-p', service_name, '-k', keytab_file]) # Set authentication-type for admin user self.master.run_command([ 'ipa', 'user-mod', 'admin', '--user-auth-type=password', '--user-auth-type=otp' ]) # Authenticate self.master.run_command( ['kinit', '-k', service_name, '-t', keytab_file]) # Verify access to service is granted result = self.master.run_command(['kvno', service_name], raiseonerr=False) assert result.returncode == 0 # Obtain admin ticket to be able to update service tasks.kinit_admin(self.master) # Modify service to have authentication indicator self.master.run_command( ['ipa', 'service-mod', service_name, '--auth-ind=otp']) self.master.run_command( ['ipa-getkeytab', '-p', service_name, '-k', keytab_file]) # Authenticate self.master.run_command( ['kinit', '-k', service_name, '-t', keytab_file]) # Verify access to service is rejected result = self.master.run_command(['kvno', service_name], raiseonerr=False) assert result.returncode > 0
def restore_checker(host): """Check that the IPA at host works the same at context enter and exit""" tasks.kinit_admin(host) results = [] for check, assert_func in CHECKS: log.info('Storing result for %s', check) results.append(check(host)) yield for (check, assert_func), expected in zip(CHECKS, results): log.info('Checking result for %s', check) got = check(host) assert_func(expected, got)
def test_certmap_match_issue7520(self): # https://pagure.io/freeipa/issue/7520 tasks.kinit_admin(self.master) result = self.master.run_command( ['ipa', 'certmap-match', paths.IPA_CA_CRT], raiseonerr=False) assert result.returncode == 1 assert not result.stderr_text assert "0 users matched" in result.stdout_text cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT) result = self.master.run_command( ['ipa', 'certmap-match', '--certificate', cab64], raiseonerr=False) assert result.returncode == 1 assert not result.stderr_text assert "0 users matched" in result.stdout_text
def test_apply_advice(self): # Obtain the advice from the server tasks.kinit_admin(self.master) result = self.master.run_command(['ipa-advise', self.advice_id]) advice = result.stdout_text # Apply the advice on the legacy client advice_path = os.path.join(self.legacy_client.config.test_dir, 'advice.sh') self.legacy_client.put_file_contents(advice_path, advice) result = self.legacy_client.run_command(['bash', '-x', '-e', advice_path]) # Restart SSHD to load new PAM configuration self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
def restore_checker(host): """Check that the IPA at host works the same at context enter and exit""" tasks.kinit_admin(host) results = [] for check, assert_func in CHECKS: logger.info('Storing result for %s', check.__name__) results.append(check(host)) yield for (check, assert_func), expected in zip(CHECKS, results): logger.info('Checking result for %s', check.__name__) got = check(host) assert_func(expected, got)
def test_apply_advice(self): # Obtain the advice from the server tasks.kinit_admin(self.master) result = self.master.run_command(['ipa-advise', self.advice_id]) advice = result.stdout_text # Apply the advice on the legacy client advice_path = os.path.join(self.legacy_client.config.test_dir, 'advice.sh') self.legacy_client.put_file_contents(advice_path, advice) result = self.legacy_client.run_command(['bash', '-x', '-e', advice_path]) # Restart SSHD to load new PAM configuration self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
def test_installclient_as_user_admin(self): """ipa-client-install should not use hardcoded admin for principal In ipaclient-install.log it should use the username that was entered earlier in the install process at the prompt. Related to : https://pagure.io/freeipa/issue/5406 """ client = self.clients[0] tasks.install_master(self.master) tasks.kinit_admin(self.master) username = '******' password = '******' password_confirmation = "%s\n%s\n" % (password, password) self.master.run_command(['ipa', 'user-add', username, '--first', username, '--last', username, '--password'], stdin_text=password_confirmation) role_add = ['ipa', 'role-add', 'useradmin'] self.master.run_command(role_add) self.master.run_command(['ipa', 'privilege-add', 'Add Hosts']) self.master.run_command(['ipa', 'privilege-add-permission', '--permissions', 'System: Add Hosts', 'Add Hosts']) self.master.run_command(['ipa', 'role-add-privilege', 'useradmin', '--privileges', 'Host Enrollment']) self.master.run_command(['ipa', 'role-add-privilege', 'useradmin', '--privileges', 'Add Hosts']) role_member_add = ['ipa', 'role-add-member', 'useradmin', '--users={}'.format(username)] self.master.run_command(role_member_add) user_kinit = "%s\n%s\n%s\n" % (password, password, password) self.master.run_command(['kinit', username], stdin_text=user_kinit) tasks.install_client(self.master, client, user=username, password=password) msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \ (username, client.domain.name) install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG, encoding='utf-8') assert msg in install_log
def test_add_remove_segment(self): """ Make sure a topology segment can be manually created and deleted with the influence on the real topology Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case:_Basic_CRUD_test """ tasks.kinit_admin(self.master) # Install the second replica tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # turn a star into a ring segment, err = tasks.create_segment(self.master, self.replicas[0], self.replicas[1]) assert err == "", err # Make sure the new segment is shown by `ipa topologysegment-find` result1 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert (segment['name'] in result1), ("%s: segment not found" % segment['name']) # Remove master <-> replica2 segment and make sure that the changes get # there through replica1 # Since segment name can be one of master-to-replica2 or # replica2-to-master, we need to determine the segment name dynamically deleteme = find_segment(self.master, self.replicas[1]) returncode, error = tasks.destroy_segment(self.master, deleteme) assert returncode == 0, error # Wait till replication ends and make sure replica1 does not have # segment that was deleted on master replica1_ldap = self.replicas[0].ldap_connect() tasks.wait_for_replication(replica1_ldap) result3 = self.replicas[0].run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert (deleteme not in result3), "%s: segment still exists" % deleteme # Create test data on master and make sure it gets all the way down to # replica2 through replica1 self.master.run_command([ 'ipa', 'user-add', 'someuser', '--first', 'test', '--last', 'user' ]) dest_ldap = self.replicas[1].ldap_connect() tasks.wait_for_replication(dest_ldap) result4 = self.replicas[1].run_command(['ipa', 'user-find']) assert ('someuser' in result4.stdout_text), 'User not found: someuser'
def test_add_remove_segment(self): """ Make sure a topology segment can be manually created and deleted with the influence on the real topology Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case:_Basic_CRUD_test """ tasks.kinit_admin(self.master) # Install the second replica tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # turn a star into a ring segment, err = tasks.create_segment(self.master, self.replicas[0], self.replicas[1]) assert err == "", err # Make sure the new segment is shown by `ipa topologysegment-find` result1 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert(segment['name'] in result1), ( "%s: segment not found" % segment['name']) # Remove master <-> replica2 segment and make sure that the changes get # there through replica1 # Since segment name can be one of master-to-replica2 or # replica2-to-master, we need to determine the segment name dynamically deleteme = find_segment(self.master, self.replicas[1]) returncode, error = tasks.destroy_segment(self.master, deleteme) assert returncode == 0, error # Wait till replication ends and make sure replica1 does not have # segment that was deleted on master replica1_ldap = self.replicas[0].ldap_connect() tasks.wait_for_replication(replica1_ldap) result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text assert(deleteme not in result3), "%s: segment still exists" % deleteme # Create test data on master and make sure it gets all the way down to # replica2 through replica1 self.master.run_command(['ipa', 'user-add', 'someuser', '--first', 'test', '--last', 'user']) dest_ldap = self.replicas[1].ldap_connect() tasks.wait_for_replication(dest_ldap) result4 = self.replicas[1].run_command(['ipa', 'user-find']) assert('someuser' in result4.stdout_text), 'User not found: someuser'
def _full_backup_restore_with_vault(self, reinstall=False): with restore_checker(self.master): # create vault self.master.run_command([ "ipa", "vault-add", self.vault_name, "--password", self.vault_password, "--type", "symmetric", ]) # archive secret self.master.run_command([ "ipa", "vault-archive", self.vault_name, "--password", self.vault_password, "--data", self.vault_data, ]) # retrieve secret self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ]) backup_path = backup(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') tasks.kinit_admin(self.master) # retrieve secret after restore self.master.run_command([ "ipa", "vault-retrieve", self.vault_name, "--password", self.vault_password, ])
def test_cert_find_issue7520(self): # https://pagure.io/freeipa/issue/7520 tasks.kinit_admin(self.master) subject = 'CN=Certificate Authority,O={}'.format( self.master.domain.realm) # by cert file result = self.master.run_command( ['ipa', 'cert-find', '--file', paths.IPA_CA_CRT]) assert subject in result.stdout_text assert '1 certificate matched' in result.stdout_text # by base64 cert cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT) result = self.master.run_command( ['ipa', 'cert-find', '--certificate', cab64]) assert subject in result.stdout_text assert '1 certificate matched' in result.stdout_text
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1(self.master) assert result.returncode == 0 # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2(self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text
def test_replica_after_domain_upgrade(self): tasks.kinit_admin(self.master) tasks.kinit_admin(self.replicas[0]) self.master.run_command(['ipa', 'user-add', self.username, '--first', 'test', '--last', 'user']) tasks.wait_for_replication(self.replicas[0].ldap_connect()) self.master.run_command(['ipa', 'domainlevel-set', str(DOMAIN_LEVEL_1)]) result = self.replicas[0].run_command(['ipa', 'user-show', self.username]) assert("User login: %s" % self.username in result.stdout_text), ( "A testuser was not found on replica after domain upgrade") self.replicas[0].run_command(['ipa', 'user-del', self.username]) tasks.wait_for_replication(self.master.ldap_connect()) result1 = self.master.run_command(['ipa', 'user-show', self.username], raiseonerr=False) assert_error(result1, "%s: user not found" % self.username, 2)
def test_external_ca(self): # Step 1 of ipa-server-install. result = install_server_external_ca_step1(self.master) assert result.returncode == 0 # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA) # Step 2 of ipa-server-install. result = install_server_external_ca_step2( self.master, ipa_ca_fname, root_ca_fname) assert result.returncode == 0 # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text
def install(cls, mh): cls.username = '******' tasks.install_master(cls.master, domain_level=cls.domain_level) password = cls.master.config.dirman_password cls.new_password = '******' adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password) user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password, cls.new_password) tasks.kinit_admin(cls.master) cls.master.run_command(['ipa', 'user-add', cls.username, '--password', '--first', 'John', '--last', 'Donn'], stdin_text=adduser_stdin_text) # Now we need to change the password for the user cls.master.run_command(['kinit', cls.username], stdin_text=user_kinit_stdin_text) # And again kinit admin tasks.kinit_admin(cls.master)
def install(cls, mh): cls.username = '******' tasks.install_master(cls.master, domain_level=cls.domain_level) password = cls.master.config.dirman_password cls.new_password = '******' adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password) user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password, cls.new_password) tasks.kinit_admin(cls.master) cls.master.run_command(['ipa', 'user-add', cls.username, '--password', '--first', 'John', '--last', 'Donn'], stdin_text=adduser_stdin_text) # Now we need to change the password for the user cls.master.run_command(['kinit', cls.username], stdin_text=user_kinit_stdin_text) # And again kinit admin tasks.kinit_admin(cls.master)
def test_replica_after_domain_upgrade(self): tasks.kinit_admin(self.master) tasks.kinit_admin(self.replicas[0]) self.master.run_command(['ipa', 'user-add', self.username, '--first', 'test', '--last', 'user']) tasks.wait_for_replication(self.replicas[0].ldap_connect()) self.master.run_command(['ipa', 'domainlevel-set', str(DOMAIN_LEVEL_1)]) result = self.replicas[0].run_command(['ipa', 'user-show', self.username]) assert("User login: %s" % self.username in result.stdout_text), ( "A testuser was not found on replica after domain upgrade") self.replicas[0].run_command(['ipa', 'user-del', self.username]) tasks.wait_for_replication(self.master.ldap_connect()) result1 = self.master.run_command(['ipa', 'user-show', self.username], raiseonerr=False) assert_error(result1, "%s: user not found" % self.username, 2)
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False): with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, '--dnssec', 'true', ]) assert wait_until_record_is_signed(self.master.ip, self.example_test_zone, self.log), "Zone is not signed" backup_path = backup(self.master) self.master.run_command( ['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') assert wait_until_record_is_signed( self.master.ip, self.example_test_zone, self.log), ("Zone is not signed after " "restore") tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, '--dnssec', 'true', ]) assert wait_until_record_is_signed( self.master.ip, self.example2_test_zone, self.log), "A new zone is not signed"
def install(cls, mh): super(BaseTestLegacyClient, cls).install(mh) tasks.kinit_admin(cls.master) password_confirmation = ( cls.master.config.admin_password + '\n' + cls.master.config.admin_password ) cls.master.run_command(['ipa', 'user-add', 'disabledipauser', '--first', 'disabled', '--last', 'ipauser', '--password'], stdin_text=password_confirmation) cls.master.run_command(['ipa', 'user-disable', 'disabledipauser']) cls.ad = cls.ad_domains[0].ads[0] cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0]) # Determine whether the subdomain AD is available try: child_ad = cls.host_by_role(cls.optional_extra_roles[0]) cls.ad_subdomain = '.'.join( child_ad.hostname.split('.')[1:]) except LookupError: cls.ad_subdomain = None # Determine whether the tree domain AD is available try: cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1]) cls.ad_treedomain = '.'.join( cls.tree_ad.hostname.split('.')[1:]) except LookupError: cls.ad_treedomain = None tasks.apply_common_fixes(cls.legacy_client) for f in cls.backup_files: tasks.backup_file(cls.legacy_client, f)
def test_invalid_range_types(self): invalid_range_types = ['ipa-local', 'ipa-ad-winsync', 'ipa-ipa-trust', 'random-invalid', 're@ll%ybad12!'] for range_type in invalid_range_types: tasks.kinit_admin(self.master) result = self.master.run_command( ['ipa', 'trust-add', '--type', 'ad', self.ad_domain, '--admin', 'Administrator', '--range-type', range_type, '--password'], raiseonerr=False, stdin_text=self.master.config.ad_admin_password) # The trust-add command is supposed to fail assert result.returncode == 1
def test_topology_updated_on_replica_install_remove(self): """ Install and remove a replica and make sure topology information is updated on all other replicas Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case: _Replication_topology_should_be_saved_in_the_LDAP_tree """ tasks.kinit_admin(self.master) result1 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text segment_name = self.segmentnames_re.findall(result1)[0] assert (self.master.hostname in segment_name), ( "Segment %s does not contain master hostname" % segment_name) assert (self.replicas[0].hostname in segment_name), ( "Segment %s does not contain replica hostname" % segment_name) tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # We need to make sure topology information is consistent across all # replicas result2 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result3 = self.replicas[0].run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result4 = self.replicas[1].run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) segments = self.tokenize_topologies(result2.stdout_text) assert (len(segments) == 2), "Unexpected number of segments found" assert_deepequal(result2.stdout_text, result3.stdout_text) assert_deepequal(result3.stdout_text, result4.stdout_text) # Now let's check that uninstalling the replica will update the topology # info on the rest of replicas. # first step of uninstallation is removal of the replica on other # master, then it can be uninstalled. Doing it the other way is also # possible, but not reliable - some data might not be replicated. tasks.clean_replication_agreement(self.master, self.replicas[1]) tasks.uninstall_master(self.replicas[1]) result5 = self.master.run_command( ['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) num_entries = self.noentries_re.search(result5.stdout_text).group(1) assert (num_entries == "1"), "Incorrect number of entries displayed"
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False): with restore_checker(self.master): self.master.run_command([ 'ipa', 'dnszone-add', self.example_test_zone, '--dnssec', 'true', ]) assert ( wait_until_record_is_signed( self.master.ip, self.example_test_zone) ), "Zone is not signed" backup_path = backup(self.master) self.master.run_command(['ipa-server-install', '--uninstall', '-U']) if reinstall: tasks.install_master(self.master, setup_dns=True) dirman_password = self.master.config.dirman_password self.master.run_command(['ipa-restore', backup_path], stdin_text=dirman_password + '\nyes') assert ( wait_until_record_is_signed( self.master.ip, self.example_test_zone) ), "Zone is not signed after restore" tasks.kinit_admin(self.master) self.master.run_command([ 'ipa', 'dnszone-add', self.example2_test_zone, '--dnssec', 'true', ]) assert ( wait_until_record_is_signed( self.master.ip, self.example2_test_zone) ), "A new zone is not signed"
def test_certmap_match_issue7520(self): # https://pagure.io/freeipa/issue/7520 tasks.kinit_admin(self.master) result = self.master.run_command( ['ipa', 'certmap-match', paths.IPA_CA_CRT], raiseonerr=False ) assert result.returncode == 1 assert not result.stderr_text assert "0 users matched" in result.stdout_text cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT) result = self.master.run_command( ['ipa', 'certmap-match', '--certificate', cab64], raiseonerr=False ) assert result.returncode == 1 assert not result.stderr_text assert "0 users matched" in result.stdout_text
def install(cls, mh): super(BaseTestLegacyClient, cls).install(mh) tasks.kinit_admin(cls.master) password_confirmation = ( cls.master.config.admin_password + '\n' + cls.master.config.admin_password ) cls.master.run_command(['ipa', 'user-add', 'disabledipauser', '--first', 'disabled', '--last', 'ipauser', '--password'], stdin_text=password_confirmation) cls.master.run_command(['ipa', 'user-disable', 'disabledipauser']) cls.ad = cls.ad_domains[0].ads[0] cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0]) # Determine whether the subdomain AD is available try: child_ad = cls.host_by_role(cls.optional_extra_roles[0]) cls.ad_subdomain = '.'.join( child_ad.hostname.split('.')[1:]) except LookupError: cls.ad_subdomain = None # Determine whether the tree domain AD is available try: cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1]) cls.ad_treedomain = '.'.join( cls.tree_ad.hostname.split('.')[1:]) except LookupError: cls.ad_treedomain = None tasks.apply_common_fixes(cls.legacy_client) for f in cls.backup_files: tasks.backup_file(cls.legacy_client, f)
def test_cert_find_issue7520(self): # https://pagure.io/freeipa/issue/7520 tasks.kinit_admin(self.master) subject = 'CN=Certificate Authority,O={}'.format( self.master.domain.realm) # by cert file result = self.master.run_command( ['ipa', 'cert-find', '--file', paths.IPA_CA_CRT] ) assert subject in result.stdout_text assert '1 certificate matched' in result.stdout_text # by base64 cert cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT) result = self.master.run_command( ['ipa', 'cert-find', '--certificate', cab64] ) assert subject in result.stdout_text assert '1 certificate matched' in result.stdout_text
def test_establish_trust(self): """ Tests establishing non-external trust with Active Directory """ self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB, 'HTTP/%s' % self.master.hostname]) self.master.run_command(['systemctl', 'restart', 'krb5kdc.service']) self.master.run_command(['kdestroy', '-A']) tasks.kinit_admin(self.master) self.master.run_command(['klist']) self.master.run_command(['smbcontrol', 'all', 'debug', '100']) result = self.master.run_command([ 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin', 'Administrator', '--password', '--range-type', 'ipa-ad-trust' ], stdin_text=self.master.config.ad_admin_password, raiseonerr=False) assert result != 0 assert ("Domain '{0}' is not a root domain".format( self.ad_treedomain) in result.stderr_text)
def test_topology_updated_on_replica_install_remove(self): """ Install and remove a replica and make sure topology information is updated on all other replicas Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/ Test_plan#Test_case: _Replication_topology_should_be_saved_in_the_LDAP_tree """ tasks.kinit_admin(self.master) result1 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text segment_name = self.segmentnames_re.findall(result1)[0] assert(self.master.hostname in segment_name), ( "Segment %s does not contain master hostname" % segment_name) assert(self.replicas[0].hostname in segment_name), ( "Segment %s does not contain replica hostname" % segment_name) tasks.install_replica(self.master, self.replicas[1], setup_ca=False, setup_dns=False) # We need to make sure topology information is consistent across all # replicas result2 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) segments = self.tokenize_topologies(result2.stdout_text) assert(len(segments) == 2), "Unexpected number of segments found" assert_deepequal(result2.stdout_text, result3.stdout_text) assert_deepequal(result3.stdout_text, result4.stdout_text) # Now let's check that uninstalling the replica will update the topology # info on the rest of replicas. # first step of uninstallation is removal of the replica on other # master, then it can be uninstalled. Doing it the other way is also # possible, but not reliable - some data might not be replicated. tasks.clean_replication_agreement(self.master, self.replicas[1]) tasks.uninstall_master(self.replicas[1]) result5 = self.master.run_command(['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]) num_entries = self.noentries_re.search(result5.stdout_text).group(1) assert(num_entries == "1"), "Incorrect number of entries displayed"
def test_external_ca(self): # Step 1 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-U', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--setup-dns', '--no-forwarders', '-n', self.master.domain.name, '-r', self.master.domain.realm, '--domain-level=%i' % self.master.config.domain_level, '--external-ca' ]) test_dir = self.master.config.test_dir # Get IPA CSR as bytes ipa_csr = self.master.get_file_contents('/root/ipa.csr') external_ca = ExternalCA() # Create root CA root_ca = external_ca.create_ca() # Sign CSR ipa_ca = external_ca.sign_csr(ipa_csr) root_ca_fname = os.path.join(test_dir, 'root_ca.crt') ipa_ca_fname = os.path.join(test_dir, 'ipa_ca.crt') # Transport certificates (string > file) to master self.master.put_file_contents(root_ca_fname, root_ca) self.master.put_file_contents(ipa_ca_fname, ipa_ca) # Step 2 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--external-cert-file', ipa_ca_fname, '--external-cert-file', root_ca_fname ]) # Make sure IPA server is working properly tasks.kinit_admin(self.master) result = self.master.run_command(['ipa', 'user-show', 'admin']) assert 'User login: admin' in result.stdout_text
def test_adtrust_system_records(self): """ Test ADTrust dns records with firstly installing a trust then removing the records and using the nsupdate generated by dns-update-system-records.""" self.master.run_command(['ipa-adtrust-install', '-U', '--enable-compat', '--netbios-name', 'IPA', '-a', self.master.config.admin_password, '--add-sids']) # lets re-kinit after adtrust-install and restart named tasks.kinit_admin(self.master) tasks.restart_named(self.master) time.sleep(5) self.delete_update_system_records(rnames=(r[0] for r in IPA_DEFAULT_ADTRUST_SRV_REC)) expected_servers = ( (self.PRIO_HIGH, self.WEIGHT, DNSName(self.master.hostname)), ) for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip): self._test_SRV_rec_against_server( ip, self.domain, expected_servers, rec_list=IPA_DEFAULT_ADTRUST_SRV_REC)
def install(cls, mh): super(TestUserPermissions, cls).install(mh) tasks.kinit_admin(cls.master) # Create a new user altadmin password_confirmation = "%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password) cls.master.run_command(['ipa', 'user-add', cls.altadmin, '--first', cls.altadmin, '--last', cls.altadmin, '--password'], stdin_text=password_confirmation) # Add altadmin to the group cn=admins cls.master.run_command(['ipa', 'group-add-member', 'admins', '--users', cls.altadmin]) # kinit as altadmin to initialize the password altadmin_kinit = "%s\n%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password, cls.master.config.admin_password) cls.master.run_command(['kinit', cls.altadmin], stdin_text=altadmin_kinit) cls.master.run_command(['kdestroy', '-A'])
def test_http_kdc_proxy_works(self): result = tasks.kinit_admin(self.clients[0], raiseonerr=False) assert(result.returncode == 0), ( "Unable to kinit using KdcProxy: %s" % result.stderr_text )