def install(cls, mh):
# External DNS is only available before install so cache a copy
# of the *ipa-epn-client package so we can experimentally remove
# it later.
#
# Notes:
# - A package can't be downloaded that is already installed so we
# have to remove it first.
# - dnf cleans up previously downloaded locations so make a copy it
# doesn't know about.
# - Adds a class variable, pkg, containing the package name of
# the downloaded *ipa-client-epn rpm.
hosts = [cls.master, cls.clients[0]]
tasks.uninstall_packages(cls.clients[0], EPN_PKG)
pkgdir = tasks.download_packages(cls.clients[0], EPN_PKG)
pkg = cls.clients[0].run_command(r'ls -1 {}'.format(pkgdir))
cls.pkg = pkg.stdout_text.strip()
cls.clients[0].run_command(
['cp', os.path.join(pkgdir, cls.pkg), '/tmp'])
cls.clients[0].run_command(r'rm -rf {}'.format(pkgdir))
for host in hosts:
tasks.install_packages(host, EPN_PKG + ["postfix"])
try:
tasks.install_packages(host, ["cyrus-sasl"])
except Exception:
# the package is likely already installed
pass
tasks.install_master(cls.master, setup_dns=True)
tasks.install_client(cls.master, cls.clients[0])
for host in hosts:
configure_postfix(host, cls.master.domain.realm)
Firewall(host).enable_services(["smtp", "smtps"])
def test_install_with_host_auth_ind_set(self):
""" A client shouldn't be able to be promoted if it has
any auth indicator set in the host principal.
https://pagure.io/freeipa/issue/8206
"""
client = self.replicas[0]
# Configure firewall first
Firewall(client).enable_services(["freeipa-ldap", "freeipa-ldaps"])
client.run_command([
'ipa-client-install', '-U', '--domain', self.master.domain.name,
'--realm', self.master.domain.realm, '-p', 'admin', '-w',
self.master.config.admin_password, '--server',
self.master.hostname, '--force-join'
])
tasks.kinit_admin(client)
client.run_command(
['ipa', 'host-mod', '--auth-ind=otp', client.hostname])
res = client.run_command([
'ipa-replica-install', '-U', '-w',
self.master.config.dirman_password
],
raiseonerr=False)
client.run_command(['ipa', 'host-mod', '--auth-ind=', client.hostname])
expected_err = ("Client cannot be promoted to a replica if the host "
"principal has an authentication indicator set.")
assert res.returncode == 1
assert expected_err in res.stderr_text
def test_replica_promotion_after_adding_to_admin_group(self):
self.master.run_command(['ipa', 'group-add-member', 'admins',
'--users=%s' % self.username])
# Configure firewall first
Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
"freeipa-ldaps"])
self.replicas[0].run_command(['ipa-replica-install',
'-P', self.username,
'-p', self.new_password,
'-n', self.master.domain.name,
'-r', self.master.domain.realm,
'-U'])
def test_replica_promotion_by_unprivileged_user(self):
replica = self.replicas[0]
tasks.install_client(self.master, replica)
# Configure firewall first
Firewall(replica).enable_services(["freeipa-ldap", "freeipa-ldaps"])
result2 = replica.run_command([
'ipa-replica-install', '-P', self.username, '-p',
self.new_password, '-n', self.master.domain.name, '-r',
self.master.domain.realm
],
raiseonerr=False)
assert_error(result2, "Insufficient privileges to promote the server",
1)
def test_install_dns_on_replica1_and_dnssec_on_master(self):
"""
install DNS server on replica and DNSSec on master
"""
tasks.install_dns(self.replicas[0])
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", self.master.config.dns_forwarder,
"-U",
]
self.master.run_command(args)
Firewall(self.master).enable_service("dns")
def install(cls, mh):
super(TestHttpKdcProxy, cls).install(mh)
# Block access from client to master's port 88
Firewall(cls.clients[0]).prepend_passthrough_rules(cls.fw_rules)
# configure client
cls.clients[0].run_command(
r"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" %
(cls.master.hostname, paths.KRB5_CONF))
cls.clients[0].run_command(r"sed -i 's/master_kdc = .*$/master_kdc"
r" = https:\/\/%s\/KdcProxy/' %s" %
(cls.master.hostname, paths.KRB5_CONF))
# Workaround for https://fedorahosted.org/freeipa/ticket/6443
cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])
def test_replica_uninstallation_prohibited(self):
"""
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
#Test_case:_Prohibit_ipa_server_uninstallation_from_disconnecting
_topology_segment
"""
result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
raiseonerr=False)
assert_error(result, "Removal of '%s' leads to disconnected"
" topology" % self.replicas[0].hostname, 1)
self.replicas[0].run_command(['ipa-server-install', '--uninstall',
'-U', '--ignore-topology-disconnect'])
Firewall(self.replicas[0]).disable_services(["freeipa-ldap",
"freeipa-ldaps"])
def test_one_command_installation(self):
"""
TestCase:
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
#Test_case:_Replica_can_be_installed_using_one_command
"""
self.replicas[0].run_command([
'ipa-replica-install', '-w', self.master.config.admin_password,
'-n', self.master.domain.name, '-r', self.master.domain.realm,
'--server', self.master.hostname, '-U'
])
Firewall(self.replicas[0]).enable_services(
["freeipa-ldap", "freeipa-ldaps"])
# Ensure that pkinit is properly configured, test for 7566
result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
assert "PKINIT is enabled" in result.stdout_text
def test_one_step_install_pwd_and_admin_pwd(self):
"""--password and --admin-password options are mutually exclusive
Test for ticket 6353
"""
expected_err = "--password and --admin-password options are " \
"mutually exclusive"
result = self.replicas[0].run_command([
'ipa-replica-install', '-w', self.master.config.admin_password,
'-p', 'OTPpwd', '-n', self.master.domain.name, '-r',
self.master.domain.realm, '--server', self.master.hostname, '-U'
],
raiseonerr=False)
assert result.returncode == 1
assert expected_err in result.stderr_text
Firewall(self.replicas[0]).enable_services(
["freeipa-ldap", "freeipa-ldaps"])
def test_upcase_client_domain(self):
client = self.replicas[0]
result = client.run_command(['ipa-client-install', '-U', '--domain',
self.master.domain.name.upper(), '-w',
self.master.config.admin_password,
'-p', 'admin',
'--server', self.master.hostname,
'--force-join'], raiseonerr=False)
assert(result.returncode == 0), (
'Failed to setup client with the upcase domain name')
# Configure firewall first
Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
"freeipa-ldaps"])
result1 = client.run_command(['ipa-replica-install', '-U', '-w',
self.master.config.dirman_password],
raiseonerr=False)
assert(result1.returncode == 0), (
'Failed to promote the client installed with the upcase domain name')
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", cls.master.config.dns_forwarder,
"-U",
]
cls.master.run_command(args)
# Enable dns service on master as it has been installed without dns
# support before
Firewall(cls.master).enable_services(["dns"])
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
# backup trusted key
tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY)
tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
def test_replica_install_in_forward_zone(self):
master = self.master
replica = self.replicas[0]
# Create a forward zone on the master
master.run_command(['ipa', 'dnsforwardzone-add', self.forwardzone,
'--skip-overlap-check',
'--forwarder', master.config.dns_forwarder])
# Configure the client with a name in the forwardzone
r_shortname = replica.hostname.split(".", 1)[0]
r_new_hostname = '{}.{}'.format(r_shortname,
self.forwardzone)
# Update /etc/hosts on the master with an entry for the replica
# otherwise replica conncheck would fail
update_etc_hosts(master, replica.ip, replica.hostname,
r_new_hostname)
# Remove the replica previous hostname from /etc/hosts
# and add the replica new hostname
# otherwise replica install will complain because
# hostname does not match
update_etc_hosts(replica, replica.ip, replica.hostname,
r_new_hostname)
try:
# install client with a hostname in the forward zone
tasks.install_client(self.master, replica,
extra_args=['--hostname', r_new_hostname])
# Configure firewall first
Firewall(replica).enable_services(["freeipa-ldap",
"freeipa-ldaps"])
replica.run_command(['ipa-replica-install',
'--principal', replica.config.admin_name,
'--admin-password',
replica.config.admin_password,
'--setup-dns',
'--forwarder', master.config.dns_forwarder,
'-U'])
finally:
# Restore /etc/hosts on master and replica
restore_etc_hosts(master)
restore_etc_hosts(replica)
def test_wrong_client_domain(self):
client = self.replicas[0]
client.run_command(['ipa-client-install', '-U',
'--domain', self.domain_name,
'--realm', self.master.domain.realm,
'-p', 'admin',
'-w', self.master.config.admin_password,
'--server', self.master.hostname,
'--force-join'])
# Configure firewall first
Firewall(client).enable_services(["freeipa-ldap",
"freeipa-ldaps"])
result = client.run_command(['ipa-replica-install', '-U', '-w',
self.master.config.dirman_password],
raiseonerr=False)
assert_error(result,
"Cannot promote this client to a replica. Local domain "
"'%s' does not match IPA domain "
"'%s'" % (self.domain_name, self.master.domain.name))
def test_migrate_dnssec_master(self):
"""Both master and replica have DNS installed"""
backup_filename = "/var/lib/ipa/ipa-kasp.db.backup"
replica_backup_filename = "/tmp/ipa-kasp.db.backup"
# add test zone
dnszone_add_dnssec(self.master, example_test_zone)
# wait until zone is signed
assert wait_until_record_is_signed(
self.master.ip, example_test_zone,
timeout=100), "Zone %s is not signed (master)" % example_test_zone
# wait until zone is signed
assert wait_until_record_is_signed(
self.replicas[0].ip, example_test_zone,
timeout=200), "Zone %s is not signed (replica)" % example_test_zone
dnskey_old = resolve_with_dnssec(self.master.ip,
example_test_zone,
rtype="DNSKEY").rrset
# migrate dnssec master to replica
args = [
"ipa-dns-install",
"--disable-dnssec-master",
"--forwarder",
self.master.config.dns_forwarder,
"--force",
"-U",
]
self.master.run_command(args)
# move content of "ipa-kasp.db.backup" to replica
kasp_db_backup = self.master.get_file_contents(backup_filename)
self.replicas[0].put_file_contents(replica_backup_filename,
kasp_db_backup)
args = [
"ipa-dns-install",
"--dnssec-master",
"--kasp-db",
replica_backup_filename,
"--forwarder",
self.master.config.dns_forwarder,
"-U",
]
self.replicas[0].run_command(args)
# Enable the dns service in the firewall on the replica
Firewall(self.replicas[0]).enable_services(["dns"])
# wait until zone is signed
assert wait_until_record_is_signed(
self.master.ip, example_test_zone, timeout=100
), "Zone %s is not signed after migration (master)" % example_test_zone
# wait until zone is signed
assert wait_until_record_is_signed(
self.replicas[0].ip, example_test_zone, timeout=200
), "Zone %s is not signed after migration (replica)" % example_test_zone
# test if dnskey are the same
dnskey_new = resolve_with_dnssec(self.master.ip,
example_test_zone,
rtype="DNSKEY").rrset
assert dnskey_old == dnskey_new, "DNSKEY should be the same"
# add test zone
dnszone_add_dnssec(self.replicas[0], example2_test_zone)
# wait until zone is signed
assert wait_until_record_is_signed(
self.replicas[0].ip, example2_test_zone, timeout=100
), ("Zone %s is not signed after migration (replica - dnssec master)" %
example2_test_zone)
# wait until zone is signed
assert wait_until_record_is_signed(
self.master.ip, example2_test_zone,
timeout=200), ("Zone %s is not signed after migration (master)" %
example2_test_zone)
# add new replica
tasks.install_replica(self.master, self.replicas[1], setup_dns=True)
# test if originial zones are signed on new replica
# wait until zone is signed
assert wait_until_record_is_signed(
self.replicas[1].ip, example_test_zone,
timeout=200), ("Zone %s is not signed (new replica)" %
example_test_zone)
# wait until zone is signed
assert wait_until_record_is_signed(
self.replicas[1].ip, example2_test_zone,
timeout=200), ("Zone %s is not signed (new replica)" %
example2_test_zone)
# add new zone to new replica
dnszone_add_dnssec(self.replicas[0], example3_test_zone)
# wait until zone is signed
assert wait_until_record_is_signed(
self.replicas[1].ip, example3_test_zone,
timeout=200), ("Zone %s is not signed (new replica)" %
example3_test_zone)
assert wait_until_record_is_signed(
self.replicas[0].ip, example3_test_zone,
timeout=200), ("Zone %s is not signed (replica)" %
example3_test_zone)
# wait until zone is signed
assert wait_until_record_is_signed(
self.master.ip, example3_test_zone,
timeout=200), ("Zone %s is not signed (master)" %
example3_test_zone)
def uninstall(cls, mh):
super(TestHttpKdcProxy, cls).uninstall(mh)
Firewall(cls.clients[0]).remove_passthrough_rules(cls.fw_rules)
