def install(cls, mh):
super(BaseTestLegacyClient, cls).install(mh)
tasks.kinit_admin(cls.master)
password_confirmation = (
cls.master.config.admin_password +
'\n' +
cls.master.config.admin_password
)
cls.master.run_command(['ipa', 'user-add', 'disabledipauser',
'--first', 'disabled',
'--last', 'ipauser',
'--password'],
stdin_text=password_confirmation)
cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
cls.ad = cls.ad_domains[0].ads[0]
cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
# Determine whether the subdomain AD is available
try:
child_ad = cls.host_by_role(cls.optional_extra_roles[0])
cls.ad_subdomain = '.'.join(
child_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_subdomain = None
tasks.apply_common_fixes(cls.legacy_client)
for f in cls.backup_files:
tasks.backup_file(cls.legacy_client, f)
def install(cls, mh):
super(TestRulesWithServicePrincipals, cls).install(mh)
master = cls.master
tasks.kinit_admin(master)
cls.replica = "replica.%s" % master.domain.name
master.run_command(['ipa', 'host-add', cls.replica, '--force'])
cls.service_name = "svc/%s" % master.hostname
cls.replica_service_name = "svc/%s" % cls.replica
master.run_command("ipa service-add %s" % cls.service_name)
master.run_command("ipa service-add %s --force" %
cls.replica_service_name)
master.run_command("ipa service-add-host %s --hosts %s" % (
cls.service_name, cls.replica))
master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl)
master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl,
cls.replica))
master.run_command("ipa caacl-add-service %s --services"
" svc/`hostname`" % cls.caacl)
master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % (
cls.replica, master.domain.realm, cls.keytab))
master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica))
# Prepare a CSR
cls.prepare_config()
stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica
master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new',
'-out', cls.csr], stdin_text=stdin_text)
def install(cls, mh):
super(BaseTestLegacyClient, cls).install(mh)
tasks.kinit_admin(cls.master)
password_confirmation = (cls.master.config.admin_password + '\n' +
cls.master.config.admin_password)
cls.master.run_command([
'ipa', 'user-add', 'disabledipauser', '--first', 'disabled',
'--last', 'ipauser', '--password'
],
stdin_text=password_confirmation)
cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
cls.ad = cls.ad_domains[0].ads[0]
cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
# Determine whether the subdomain AD is available
try:
child_ad = cls.host_by_role(cls.optional_extra_roles[0])
cls.ad_subdomain = '.'.join(child_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_subdomain = None
tasks.apply_common_fixes(cls.legacy_client)
for f in cls.backup_files:
tasks.backup_file(cls.legacy_client, f)
def test_external_ca(self):
# Step 1 of ipa-server-install
self.master.run_command([
'ipa-server-install', '-U', '-a',
self.master.config.admin_password, '-p',
self.master.config.dirman_password, '--setup-dns',
'--no-forwarders', '-r', self.master.domain.name, '--external-ca'
])
nss_db = os.path.join(self.master.config.test_dir, 'testdb')
external_cert_file = os.path.join(nss_db, 'ipa.crt')
external_ca_file = os.path.join(nss_db, 'ca.crt')
noisefile = os.path.join(self.master.config.test_dir, 'noise.txt')
pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt')
# Create noise and password files for NSS database
self.master.run_command('date | sha256sum > %s' % noisefile)
self.master.run_command('echo %s > %s' %
(self.master.config.admin_password, pwdfile))
# Create NSS database
self.master.run_command(['mkdir', nss_db])
self.master.run_command(
['certutil', '-N', '-d', nss_db, '-f', pwdfile])
# Create external CA
self.master.run_command(
[
'certutil', '-S', '-d', nss_db, '-f', pwdfile, '-n',
'external', '-s',
'CN=External CA, O=%s' % self.master.domain.name, '-x', '-t',
'CTu,CTu,CTu', '-g', '2048', '-m', '0', '-v', '60', '-z',
noisefile, '-2', '-1', '-5'
],
stdin_text='5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n')
# Sign IPA cert request using the external CA
self.master.run_command(
[
'certutil', '-C', '-d', nss_db, '-f', pwdfile, '-c',
'external', '-m', '1', '-v', '60', '-2', '-1', '-5', '-i',
'/root/ipa.csr', '-o', external_cert_file, '-a'
],
stdin_text='0\n1\n5\n9\ny\ny\n\ny\n5\n6\n7\n9\nn\n')
# Export external CA file
self.master.run_command('certutil -L -d %s -n "external" -a > %s' %
(nss_db, external_ca_file))
# Step 2 of ipa-server-install
self.master.run_command([
'ipa-server-install', '-a', self.master.config.admin_password,
'-p', self.master.config.dirman_password, '--external-cert-file',
external_cert_file, '--external-cert-file', external_ca_file
])
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore"""
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_kra_install_master(self):
result1 = tasks.install_kra(self.master, first_instance=True, raiseonerr=False)
assert result1.returncode == 0, result1.stderr_text
tasks.kinit_admin(self.master)
result2 = self.master.run_command(["ipa", "vault-find"], raiseonerr=False)
found = result2.stdout_text.find("0 vaults matched")
assert found > 0, result2.stdout_text
def test_establish_trust(self):
""" Tests establishing non-external trust with Active Directory """
self.master.run_command([
'kinit', '-kt', paths.IPA_KEYTAB,
'HTTP/%s' % self.master.hostname
])
self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
self.master.run_command(['kdestroy', '-A'])
tasks.kinit_admin(self.master)
self.master.run_command(['klist'])
self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
result = self.master.run_command(
[
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain,
'--admin', 'Administrator', '--password', '--range-type',
'ipa-ad-trust'
],
stdin_text=self.master.config.ad_admin_password,
raiseonerr=False)
assert result != 0
assert ("Domain '{0}' is not a root domain".format(self.ad_treedomain)
in result.stderr_text)
def install(cls, mh):
super(TestRulesWithServicePrincipals, cls).install(mh)
master = cls.master
tasks.kinit_admin(master)
cls.replica = "replica.%s" % master.domain.name
master.run_command(['ipa', 'host-add', cls.replica, '--force'])
cls.service_name = "svc/%s" % master.hostname
cls.replica_service_name = "svc/%s" % cls.replica
master.run_command("ipa service-add %s" % cls.service_name)
master.run_command("ipa service-add %s --force" %
cls.replica_service_name)
master.run_command("ipa service-add-host %s --hosts %s" %
(cls.service_name, cls.replica))
master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl)
master.run_command("ipa caacl-add-host %s --hosts %s" %
(cls.caacl, cls.replica))
master.run_command("ipa caacl-add-service %s --services"
" svc/`hostname`" % cls.caacl)
master.run_command("ipa-getkeytab -p host/%s@%s -k %s" %
(cls.replica, master.domain.realm, cls.keytab))
master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica))
# Prepare a CSR
cls.prepare_config()
stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica
master.run_command([
'openssl', 'req', '-config', cls.csr_conf, '-new', '-out', cls.csr
],
stdin_text=stdin_text)
def teardown_method(self, method):
self.replicas[0].run_command(['ipa-client-install',
'--uninstall', '-U'],
raiseonerr=False)
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'host-del',
self.replicas[0].hostname],
raiseonerr=False)
def test_service_as_user_admin(self):
"""Test that a service in User Administrator role can manage users"""
service_name = 'testservice/%s@%s' % (self.master.hostname,
self.master.domain.realm)
keytab_file = os.path.join(self.master.config.test_dir,
'testservice_keytab')
# Prepare a service
self.master.run_command(['ipa', 'service-add', service_name])
self.master.run_command([
'ipa-getkeytab', '-p', service_name, '-k', keytab_file, '-s',
self.master.hostname
])
# Check that the service cannot add a user
self.master.run_command(['kdestroy'])
self.master.run_command(
['kinit', '-k', service_name, '-t', keytab_file])
result = self.master.run_command([
'ipa', 'role-add-member', 'User Administrator', '--service',
service_name
],
raiseonerr=False)
assert result.returncode > 0
# Add service to User Administrator role
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'role-add-member', 'User Administrator', '--service',
service_name
])
# Check that the service now can add a user
self.master.run_command(['kdestroy'])
self.master.run_command(
['kinit', '-k', service_name, '-t', keytab_file])
self.master.run_command([
'ipa', 'user-add', 'tuser', '--first', 'a', '--last', 'b',
'--random'
])
# Clean up
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'service-del', service_name])
self.master.run_command(['ipa', 'user-del', 'tuser'])
def test_kra_install_master(self):
result1 = tasks.install_kra(self.master,
first_instance=True,
raiseonerr=False)
assert result1.returncode == 0, result1.stderr_text
tasks.kinit_admin(self.master)
result2 = self.master.run_command(["ipa", "vault-find"],
raiseonerr=False)
found = result2.stdout_text.find("0 vaults matched")
assert (found > 0), result2.stdout_text
def run_advice(master, advice_id, advice_regex, raiseerr):
# Obtain the advice from the server
tasks.kinit_admin(master)
result = master.run_command(['ipa-advise', advice_id], raiseonerr=raiseerr)
if not result.stdout_text:
advice = result.stderr_text
else:
advice = result.stdout_text
assert re.search(advice_regex, advice, re.S)
def test_service_as_user_admin(self):
"""Test that a service in User Administrator role can manage users"""
service_name = 'testservice/%s@%s' % (self.master.hostname,
self.master.domain.realm)
keytab_file = os.path.join(self.master.config.test_dir,
'testservice_keytab')
# Prepare a service
self.master.run_command(['ipa', 'service-add', service_name])
self.master.run_command(['ipa-getkeytab',
'-p', service_name,
'-k', keytab_file,
'-s', self.master.hostname])
# Check that the service cannot add a user
self.master.run_command(['kdestroy'])
self.master.run_command(['kinit', '-k', service_name,
'-t', keytab_file])
result = self.master.run_command(['ipa', 'role-add-member',
'User Administrator',
'--service', service_name],
raiseonerr=False)
assert result.returncode > 0
# Add service to User Administrator role
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'role-add-member',
'User Administrator',
'--service', service_name])
# Check that the service now can add a user
self.master.run_command(['kdestroy'])
self.master.run_command(['kinit', '-k', service_name,
'-t', keytab_file])
self.master.run_command(['ipa', 'user-add', 'tuser',
'--first', 'a', '--last', 'b', '--random'])
# Clean up
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'service-del', service_name])
self.master.run_command(['ipa', 'user-del', 'tuser'])
def run_advice(master, advice_id, advice_regex, raiseerr):
# Obtain the advice from the server
tasks.kinit_admin(master)
result = master.run_command(['ipa-advise', advice_id],
raiseonerr=raiseerr)
if not result.stdout_text:
advice = result.stderr_text
else:
advice = result.stdout_text
assert re.search(advice_regex, advice, re.S)
def test_service_access(self):
""" Test that user is granted access when authenticated using
credentials that are sufficient for a service, and denied access
when using insufficient credentials"""
service_name = 'testservice/%s@%s' % (self.master.hostname,
self.master.domain.realm)
keytab_file = os.path.join(self.master.config.test_dir,
'testservice_keytab')
# Prepare a service without authentication indicator
self.master.run_command(['ipa', 'service-add', service_name])
self.master.run_command(['ipa-getkeytab',
'-p', service_name,
'-k', keytab_file])
# Set authentication-type for admin user
self.master.run_command(['ipa', 'user-mod', 'admin',
'--user-auth-type=password',
'--user-auth-type=otp'])
# Authenticate
self.master.run_command(['kinit', '-k', service_name,
'-t', keytab_file])
# Verify access to service is granted
result = self.master.run_command(['kvno', service_name],
raiseonerr=False)
assert result.returncode == 0
# Obtain admin ticket to be able to update service
tasks.kinit_admin(self.master)
# Modify service to have authentication indicator
self.master.run_command(['ipa', 'service-mod', service_name,
'--auth-ind=otp'])
self.master.run_command(['ipa-getkeytab',
'-p', service_name,
'-k', keytab_file])
# Authenticate
self.master.run_command(['kinit', '-k', service_name,
'-t', keytab_file])
# Verify access to service is rejected
result = self.master.run_command(['kvno', service_name],
raiseonerr=False)
assert result.returncode > 0
def test_replica_after_domain_upgrade(self):
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
self.master.run_command(["ipa", "user-add", self.username, "--first", "test", "--last", "user"])
tasks.wait_for_replication(self.replicas[0].ldap_connect())
self.master.run_command(["ipa", "domainlevel-set", str(DOMAIN_LEVEL_1)])
result = self.replicas[0].run_command(["ipa", "user-show", self.username])
assert (
"User login: %s" % self.username in result.stdout_text
), "A testuser was not found on replica after domain upgrade"
self.replicas[0].run_command(["ipa", "user-del", self.username])
tasks.wait_for_replication(self.master.ldap_connect())
result1 = self.master.run_command(["ipa", "user-show", self.username], raiseonerr=False)
assert_error(result1, "%s: user not found" % self.username, 2)
def test_apply_advice(self):
# Obtain the advice from the server
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa-advise', self.advice_id])
advice = result.stdout_text
# Apply the advice on the legacy client
advice_path = os.path.join(self.legacy_client.config.test_dir,
'advice.sh')
self.legacy_client.put_file_contents(advice_path, advice)
result = self.legacy_client.run_command(['bash', '-x', '-e',
advice_path])
# Restart SSHD to load new PAM configuration
self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
def restore_checker(host):
"""Check that the IPA at host works the same at context enter and exit"""
tasks.kinit_admin(host)
results = []
for check, assert_func in CHECKS:
log.info('Storing result for %s', check)
results.append(check(host))
yield
for (check, assert_func), expected in zip(CHECKS, results):
log.info('Checking result for %s', check)
got = check(host)
assert_func(expected, got)
def test_apply_advice(self):
# Obtain the advice from the server
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa-advise', self.advice_id])
advice = result.stdout_text
# Apply the advice on the legacy client
advice_path = os.path.join(self.legacy_client.config.test_dir,
'advice.sh')
self.legacy_client.put_file_contents(advice_path, advice)
result = self.legacy_client.run_command(
['bash', '-x', '-e', advice_path])
# Restart SSHD to load new PAM configuration
self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
def restore_checker(host):
"""Check that the IPA at host works the same at context enter and exit"""
tasks.kinit_admin(host)
results = []
for check, assert_func in CHECKS:
log.info('Storing result for %s', check)
results.append(check(host))
yield
for (check, assert_func), expected in zip(CHECKS, results):
log.info('Checking result for %s', check)
got = check(host)
assert_func(expected, got)
def install(cls, mh):
cls.username = "******"
tasks.install_master(cls.master, domain_level=cls.domain_level)
password = cls.master.config.dirman_password
cls.new_password = "******"
adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password, cls.master.config.admin_password)
user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password, cls.new_password)
tasks.kinit_admin(cls.master)
cls.master.run_command(
["ipa", "user-add", cls.username, "--password", "--first", "John", "--last", "Donn"],
stdin_text=adduser_stdin_text,
)
# Now we need to change the password for the user
cls.master.run_command(["kinit", cls.username], stdin_text=user_kinit_stdin_text)
# And again kinit admin
tasks.kinit_admin(cls.master)
def test_add_remove_segment(self):
"""
Make sure a topology segment can be manually created and deleted
with the influence on the real topology
Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:_Basic_CRUD_test
"""
tasks.kinit_admin(self.master)
# Install the second replica
tasks.install_replica(self.master,
self.replicas[1],
setup_ca=False,
setup_dns=False)
# turn a star into a ring
segment, err = tasks.create_segment(self.master, self.replicas[0],
self.replicas[1])
assert err == "", err
# Make sure the new segment is shown by `ipa topologysegment-find`
result1 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text
assert (segment['name']
in result1), ("%s: segment not found" % segment['name'])
# Remove master <-> replica2 segment and make sure that the changes get
# there through replica1
# Since segment name can be one of master-to-replica2 or
# replica2-to-master, we need to determine the segment name dynamically
deleteme = find_segment(self.master, self.replicas[1])
returncode, error = tasks.destroy_segment(self.master, deleteme)
assert returncode == 0, error
# Wait till replication ends and make sure replica1 does not have
# segment that was deleted on master
replica1_ldap = self.replicas[0].ldap_connect()
tasks.wait_for_replication(replica1_ldap)
result3 = self.replicas[0].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text
assert (deleteme not in result3), "%s: segment still exists" % deleteme
# Create test data on master and make sure it gets all the way down to
# replica2 through replica1
self.master.run_command([
'ipa', 'user-add', 'someuser', '--first', 'test', '--last', 'user'
])
dest_ldap = self.replicas[1].ldap_connect()
tasks.wait_for_replication(dest_ldap)
result4 = self.replicas[1].run_command(['ipa', 'user-find'])
assert ('someuser' in result4.stdout_text), 'User not found: someuser'
def test_add_remove_segment(self):
"""
Make sure a topology segment can be manually created and deleted
with the influence on the real topology
Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:_Basic_CRUD_test
"""
tasks.kinit_admin(self.master)
# Install the second replica
tasks.install_replica(self.master, self.replicas[1], setup_ca=False,
setup_dns=False)
# turn a star into a ring
segment, err = tasks.create_segment(self.master,
self.replicas[0],
self.replicas[1])
assert err == "", err
# Make sure the new segment is shown by `ipa topologysegment-find`
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
assert(segment['name'] in result1), (
"%s: segment not found" % segment['name'])
# Remove master <-> replica2 segment and make sure that the changes get
# there through replica1
# Since segment name can be one of master-to-replica2 or
# replica2-to-master, we need to determine the segment name dynamically
deleteme = find_segment(self.master, self.replicas[1])
returncode, error = tasks.destroy_segment(self.master, deleteme)
assert returncode == 0, error
# Wait till replication ends and make sure replica1 does not have
# segment that was deleted on master
replica1_ldap = self.replicas[0].ldap_connect()
tasks.wait_for_replication(replica1_ldap)
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
assert(deleteme not in result3), "%s: segment still exists" % deleteme
# Create test data on master and make sure it gets all the way down to
# replica2 through replica1
self.master.run_command(['ipa', 'user-add', 'someuser',
'--first', 'test',
'--last', 'user'])
dest_ldap = self.replicas[1].ldap_connect()
tasks.wait_for_replication(dest_ldap)
result4 = self.replicas[1].run_command(['ipa', 'user-find'])
assert('someuser' in result4.stdout_text), 'User not found: someuser'
def _full_backup_restore_with_vault(self, reinstall=False):
with restore_checker(self.master):
# create vault
self.master.run_command([
"ipa", "vault-add",
self.vault_name,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.master.run_command([
"ipa", "vault-archive",
self.vault_name,
"--password", self.vault_password,
"--data", self.vault_data,
])
# retrieve secret
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
# retrieve secret after restore
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
def install(cls, mh):
cls.username = '******'
tasks.install_master(cls.master, domain_level=cls.domain_level)
password = cls.master.config.dirman_password
cls.new_password = '******'
adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password)
user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password,
cls.new_password)
tasks.kinit_admin(cls.master)
cls.master.run_command(['ipa', 'user-add', cls.username, '--password',
'--first', 'John', '--last', 'Donn'],
stdin_text=adduser_stdin_text)
# Now we need to change the password for the user
cls.master.run_command(['kinit', cls.username],
stdin_text=user_kinit_stdin_text)
# And again kinit admin
tasks.kinit_admin(cls.master)
def test_invalid_range_types(self):
invalid_range_types = ['ipa-local',
'ipa-ad-winsync',
'ipa-ipa-trust',
'random-invalid',
're@ll%ybad12!']
for range_type in invalid_range_types:
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'trust-add', '--type', 'ad', self.ad_domain, '--admin',
'Administrator', '--range-type', range_type, '--password'],
raiseonerr=False,
stdin_text=self.master.config.ad_admin_password)
# The trust-add command is supposed to fail
assert result.returncode == 1
def test_invalid_range_types(self):
invalid_range_types = ['ipa-local',
'ipa-ad-winsync',
'ipa-ipa-trust',
'random-invalid',
're@ll%ybad12!']
for range_type in invalid_range_types:
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'trust-add', '--type', 'ad', self.ad_domain, '--admin',
'Administrator', '--range-type', range_type, '--password'],
raiseonerr=False,
stdin_text=self.master.config.ad_admin_password)
# The trust-add command is supposed to fail
assert result.returncode == 1
def test_topology_updated_on_replica_install_remove(self):
"""
Install and remove a replica and make sure topology information is
updated on all other replicas
Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:
_Replication_topology_should_be_saved_in_the_LDAP_tree
"""
tasks.kinit_admin(self.master)
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
first_segment_name = "%s-to-%s" % (self.master.hostname,
self.replicas[0].hostname)
expected_segment = {
'connectivity': 'both',
'leftnode': self.master.hostname,
'name': first_segment_name,
'rightnode': self.replicas[0].hostname}
firstsegment = self.tokenize_topologies(result1)[0]
assert_deepequal(expected_segment, firstsegment)
tasks.install_replica(self.master, self.replicas[1], setup_ca=False,
setup_dns=False)
# We need to make sure topology information is consistent across all
# replicas
result2 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
segments = self.tokenize_topologies(result2.stdout_text)
assert(len(segments) == 2), "Unexpected number of segments found"
assert_deepequal(result2.stdout_text, result3.stdout_text)
assert_deepequal(result3.stdout_text, result4.stdout_text)
# Now let's check that uninstalling the replica will update the topology
# info on the rest of replicas.
tasks.uninstall_master(self.replicas[1])
tasks.clean_replication_agreement(self.master, self.replicas[1])
result5 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
num_entries = self.noentries_re.search(result5.stdout_text).group(1)
assert(num_entries == "1"), "Incorrect number of entries displayed"
def test_replica_after_domain_upgrade(self):
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
self.master.run_command([
'ipa', 'user-add', self.username, '--first', 'test', '--last',
'user'
])
tasks.wait_for_replication(self.replicas[0].ldap_connect())
self.master.run_command(
['ipa', 'domainlevel-set',
str(DOMAIN_LEVEL_1)])
result = self.replicas[0].run_command(
['ipa', 'user-show', self.username])
assert ("User login: %s" % self.username in result.stdout_text), (
"A testuser was not found on replica after domain upgrade")
self.replicas[0].run_command(['ipa', 'user-del', self.username])
tasks.wait_for_replication(self.master.ldap_connect())
result1 = self.master.run_command(['ipa', 'user-show', self.username],
raiseonerr=False)
assert_error(result1, "%s: user not found" % self.username, 2)
def install(cls, mh):
cls.username = '******'
tasks.install_master(cls.master, domain_level=cls.domain_level)
password = cls.master.config.dirman_password
cls.new_password = '******'
adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password)
user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password,
cls.new_password)
tasks.kinit_admin(cls.master)
cls.master.run_command([
'ipa', 'user-add', cls.username, '--password', '--first', 'John',
'--last', 'Donn'
],
stdin_text=adduser_stdin_text)
# Now we need to change the password for the user
cls.master.run_command(['kinit', cls.username],
stdin_text=user_kinit_stdin_text)
# And again kinit admin
tasks.kinit_admin(cls.master)
def test_establish_trust(self):
""" Tests establishing non-external trust with Active Directory """
self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
'HTTP/%s' % self.master.hostname])
self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
self.master.run_command(['kdestroy', '-A'])
tasks.kinit_admin(self.master)
self.master.run_command(['klist'])
self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
result = self.master.run_command([
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin',
'Administrator', '--password', '--range-type', 'ipa-ad-trust'
], stdin_text=self.master.config.ad_admin_password,
raiseonerr=False)
assert result != 0
assert ("Domain '{0}' is not a root domain".format(
self.ad_treedomain) in result.stderr_text)
def test_topology_updated_on_replica_install_remove(self):
"""
Install and remove a replica and make sure topology information is
updated on all other replicas
Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:
_Replication_topology_should_be_saved_in_the_LDAP_tree
"""
tasks.kinit_admin(self.master)
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
first_segment_name = "%s-to-%s" % (self.master.hostname,
self.replicas[0].hostname)
output1 = result1.stdout_text
firstsegment = self.tokenize_topologies(output1)[0]
assert(firstsegment['name'] == first_segment_name)
assert(self.noentries_re.search(output1).group(1) == "1")
assert(firstsegment['leftnode'] == self.master.hostname)
assert(firstsegment['rightnode'] == self.replicas[0].hostname)
tasks.install_replica(self.master, self.replicas[1], setup_ca=False,
setup_dns=False)
# We need to make sure topology information is consistent across all
# replicas
result2 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
segments = self.tokenize_topologies(result2.stdout_text)
assert(len(segments) == 2)
assert(result2.stdout_text == result3.stdout_text)
assert(result3.stdout_text == result4.stdout_text)
# Now let's check that uninstalling the replica will update the topology
# info on the rest of replicas.
tasks.uninstall_master(self.replicas[1])
tasks.clean_replication_agreement(self.master, self.replicas[1])
result5 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
assert(self.noentries_re.search(result5.stdout_text).group(1) == "1")
def test_topology_updated_on_replica_install_remove(self):
"""
Install and remove a replica and make sure topology information is
updated on all other replicas
Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:
_Replication_topology_should_be_saved_in_the_LDAP_tree
"""
tasks.kinit_admin(self.master)
result1 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text
segment_name = self.segmentnames_re.findall(result1)[0]
assert (self.master.hostname in segment_name), (
"Segment %s does not contain master hostname" % segment_name)
assert (self.replicas[0].hostname in segment_name), (
"Segment %s does not contain replica hostname" % segment_name)
tasks.install_replica(self.master,
self.replicas[1],
setup_ca=False,
setup_dns=False)
# We need to make sure topology information is consistent across all
# replicas
result2 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
result3 = self.replicas[0].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
result4 = self.replicas[1].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
segments = self.tokenize_topologies(result2.stdout_text)
assert (len(segments) == 2), "Unexpected number of segments found"
assert_deepequal(result2.stdout_text, result3.stdout_text)
assert_deepequal(result3.stdout_text, result4.stdout_text)
# Now let's check that uninstalling the replica will update the topology
# info on the rest of replicas.
tasks.uninstall_master(self.replicas[1])
tasks.clean_replication_agreement(self.master, self.replicas[1])
result5 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
num_entries = self.noentries_re.search(result5.stdout_text).group(1)
assert (num_entries == "1"), "Incorrect number of entries displayed"
def test_add_remove_segment(self):
"""
Make sure a topology segment can be manually created and deleted
with the influence on the real topology
Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:_Basic_CRUD_test
"""
tasks.kinit_admin(self.master)
# Install the second replica
tasks.install_replica(self.master, self.replicas[1], setup_ca=False,
setup_dns=False)
# turn a star into a ring
segment, err = tasks.create_segment(self.master,
self.replicas[0],
self.replicas[1])
assert err == "", err
# Make sure the new segment is shown by `ipa topologysegment-find`
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
assert(result1.stdout_text.find(segment['name']) > 0)
# Remove master <-> replica2 segment and make sure that the changes get
# there through replica1
deleteme = "%s-to-%s" % (self.master.hostname,
self.replicas[1].hostname)
returncode, error = tasks.destroy_segment(self.master, deleteme)
assert returncode == 0, error
# make sure replica1 does not have segment that was deleted on master
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
assert(result3.stdout_text.find(deleteme) < 0)
# Create test data on master and make sure it gets all the way down to
# replica2 through replica1
self.master.run_command(['ipa', 'user-add', 'someuser',
'--first', 'test',
'--last', 'user'])
time.sleep(60) # replication requires some time
users_on_replica2 = self.replicas[1].run_command(['ipa',
'user-find'])
assert(users_on_replica2.find('someuser') > 0)
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False):
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
'--dnssec', 'true',
])
assert wait_until_record_is_signed(self.master.ip,
self.example_test_zone, self.log), "Zone is not signed"
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert wait_until_record_is_signed(self.master.ip,
self.example_test_zone, self.log), ("Zone is not signed after "
"restore")
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
'--dnssec', 'true',
])
assert wait_until_record_is_signed(self.master.ip,
self.example2_test_zone, self.log), "A new zone is not signed"
def rekinit(self):
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
def test_external_ca(self):
# Step 1 of ipa-server-install
self.master.run_command([
'ipa-server-install', '-U',
'-a', self.master.config.admin_password,
'-p', self.master.config.dirman_password,
'--setup-dns', '--no-forwarders',
'-r', self.master.domain.name,
'--external-ca'
])
nss_db = os.path.join(self.master.config.test_dir, 'testdb')
external_cert_file = os.path.join(nss_db, 'ipa.crt')
external_ca_file = os.path.join(nss_db, 'ca.crt')
noisefile = os.path.join(self.master.config.test_dir, 'noise.txt')
pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt')
# Create noise and password files for NSS database
self.master.run_command('date | sha256sum > %s' % noisefile)
self.master.run_command('echo %s > %s' %
(self.master.config.admin_password, pwdfile))
# Create NSS database
self.master.run_command(['mkdir', nss_db])
self.master.run_command([
'certutil', '-N',
'-d', nss_db,
'-f', pwdfile
])
# Create external CA
self.master.run_command([
'certutil', '-S',
'-d', nss_db,
'-f', pwdfile,
'-n', 'external',
'-s', 'CN=External CA, O=%s' % self.master.domain.name,
'-x',
'-t', 'CTu,CTu,CTu',
'-g', '2048',
'-m', '0',
'-v', '60',
'-z', noisefile,
'-2', '-1', '-5'
], stdin_text='5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n')
# Sign IPA cert request using the external CA
self.master.run_command([
'certutil', '-C',
'-d', nss_db,
'-f', pwdfile,
'-c', 'external',
'-m', '1',
'-v', '60',
'-2', '-1', '-5',
'-i', '/root/ipa.csr',
'-o', external_cert_file,
'-a'
], stdin_text='0\n1\n5\n9\ny\ny\n\ny\n5\n6\n7\n9\nn\n')
# Export external CA file
self.master.run_command(
'certutil -L -d %s -n "external" -a > %s' %
(nss_db, external_ca_file)
)
# Step 2 of ipa-server-install
self.master.run_command([
'ipa-server-install',
'-a', self.master.config.admin_password,
'-p', self.master.config.dirman_password,
'--external_cert_file', external_cert_file,
'--external_ca_file', external_ca_file
])
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
def teardown_method(self, method):
self.replicas[0].run_command(["ipa-client-install", "--uninstall", "-U"], raiseonerr=False)
tasks.kinit_admin(self.master)
self.master.run_command(["ipa", "host-del", self.replicas[0].hostname], raiseonerr=False)
def test_http_kdc_proxy_works(self):
result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
assert (result.returncode == 0), (
"Unable to kinit using KdcProxy: %s" % result.stderr_text)
def rekinit(self):
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
def test_http_kdc_proxy_works(self):
result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
assert(result.returncode == 0), (
"Unable to kinit using KdcProxy: %s" % result.stderr_text
)
def teardown_method(self, method):
self.replicas[0].run_command(
['ipa-client-install', '--uninstall', '-U'], raiseonerr=False)
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'host-del', self.replicas[0].hostname],
raiseonerr=False)
