def enroll_idm_and_configure_external_auth():
"""Enroll the Satellite6 Server to an IDM Server."""
run_command(
cmd=
'yum -y --disableplugin=foreman-protector install ipa-client ipa-admintools'
)
run_command(
cmd=f"echo {settings.ipa.password_ipa} | kinit admin",
hostname=settings.ipa.hostname_ipa,
)
result = run_command(
cmd=f"ipa host-add --random {settings.server.hostname}",
hostname=settings.ipa.hostname_ipa,
)
for line in result:
if "Random password" in line:
_, password = line.split(': ', 2)
break
run_command(
cmd=f"ipa service-add HTTP/{settings.server.hostname}",
hostname=settings.ipa.hostname_ipa,
)
_, domain = settings.ipa.hostname_ipa.split('.', 1)
run_command(cmd=f"ipa-client-install --password '{password}' "
f"--domain {domain} "
f"--server {settings.ipa.hostname_ipa} "
f"--realm {domain.upper()} -U")
def test_positive_foreman_service_auto_restart(foreman_service_teardown):
"""Foreman Service should get auto-restarted in case it is halted or stopped for some reason
:CaseComponent: Infrastructure
:id: 766560b8-30bb-11eb-8dae-d46d6dd3b5b2
:Steps:
1. Stop the Foreman Service
2. Make any API call to Satellite
:expectedresults: Foreman Service should get restarted automatically
"""
run_command('systemctl stop foreman')
result = ssh.command('foreman-maintain service status --only=foreman')
assert result.return_code == 1
assert 'not running (foreman)' in ''.join(result.stdout)
assert entities.Organization().search(query={'search': f'name="{DEFAULT_ORG}"'})[0]
run_command('foreman-maintain service status --only=foreman')
def subscribe_satellite(clean_rhsm, default_sat):
"""subscribe satellite to cdn"""
run_command(
'subscription-manager register --force --user={} --password={} {}'.
format(
settings.subscription.rhn_username,
settings.subscription.rhn_password,
# set release to "7Server" currently with this scope
f'--release="{default_sat.os_version.major}Server"',
))
has_success_msg = 'Successfully attached a subscription'
attach_cmd = f'subscription-manager attach --pool={settings.subscription.rhn_poolid}'
result = run_command(attach_cmd)
if has_success_msg in result:
run_command(f'subscription-manager repos --enable \
"rhel-{default_sat.os_version.major}-server-extras-rpms"')
yield
else:
pytest.fail("Failed to attach system to pool. Aborting Test!.")
unsubscribe()
def configure_hammer_session(self, enable=True):
"""take backup of the hammer config file and enable use_sessions"""
run_command(f"cp {HAMMER_CONFIG} {HAMMER_CONFIG}.backup")
run_command(f"sed -i '/:use_sessions.*/d' {HAMMER_CONFIG}")
run_command(
f"echo ' :use_sessions: {'true' if enable else 'false'}' >> {HAMMER_CONFIG}"
)
def enroll_configure_rhsso_external_auth():
"""Enroll the Satellite6 Server to an RHSSO Server."""
run_command(cmd='yum -y --disableplugin=foreman-protector install '
'mod_auth_openidc keycloak-httpd-client-install')
run_command(
cmd=
f'echo {settings.rhsso.password} | keycloak-httpd-client-install --app-name foreman-openidc \
--keycloak-server-url {settings.rhsso.host_url} \
--keycloak-admin-username "admin" \
--keycloak-realm "{settings.rhsso.realm}" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin -t openidc -l /users/extlogin --force'
)
run_command(
cmd=f'satellite-installer --foreman-keycloak true '
f"--foreman-keycloak-app-name 'foreman-openidc' "
f"--foreman-keycloak-realm '{settings.rhsso.realm}' ",
timeout=1000000,
)
run_command(cmd="systemctl restart httpd")
def enroll_ad_and_configure_external_auth(request, ad_data):
"""Enroll Satellite Server to an AD Server."""
auth_type = request.param.lower()
ad_data = ad_data('2019') if '2019' in auth_type else ad_data()
packages = ('sssd adcli realmd ipa-python-compat krb5-workstation '
'samba-common-tools gssproxy nfs-utils ipa-client')
realm = ad_data.realm
workgroup = ad_data.workgroup
default_content = f'[global]\nserver = unused\nrealm = {realm}'
keytab_content = (f'[global]\nworkgroup = {workgroup}\nrealm = {realm}'
f'\nkerberos method = system keytab\nsecurity = ads')
# install the required packages
run_command(
cmd=f'yum -y --disableplugin=foreman-protector install {packages}')
# update the AD name server
run_command(cmd='chattr -i /etc/resolv.conf')
line_number = run_command(
cmd=
"awk -v search='nameserver' '$0~search{print NR; exit}' /etc/resolv.conf"
)
run_command(
cmd=
f'sed -i "{line_number}i nameserver {ad_data.nameserver}" /etc/resolv.conf'
)
run_command(cmd='chattr +i /etc/resolv.conf')
# join the realm
run_command(cmd=f'echo {settings.ldap.password} | realm join -v {realm}')
run_command(cmd='touch /etc/ipa/default.conf')
run_command(cmd=f'echo "{default_content}" > /etc/ipa/default.conf')
run_command(cmd=f'echo "{keytab_content}" > /etc/net-keytab.conf')
# gather the apache id
result = run_command(cmd='id -u apache')
id_apache = result
http_conf_content = (
f'[service/HTTP]\nmechs = krb5\ncred_store = keytab:/etc/krb5.keytab'
f'\ncred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U'
f'\neuid = {id_apache}')
# register the satellite as client for external auth
run_command(cmd=f'echo "{http_conf_content}" > /etc/gssproxy/00-http.conf')
token_command = (
'KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP '
'-U administrator -d3 -s /etc/net-keytab.conf')
run_command(cmd=f'echo {settings.ldap.password} | {token_command}')
run_command(cmd='chown root.apache /etc/httpd/conf/http.keytab')
run_command(cmd='chmod 640 /etc/httpd/conf/http.keytab')
def configure_realm():
"""Configure realm"""
realm = settings.upgrade.vm_domain.upper()
run_command(cmd=f'curl -o /root/freeipa.keytab {settings.ipa.keytab_url}')
run_command(cmd='mv /root/freeipa.keytab /etc/foreman-proxy')
run_command(
cmd=
'chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab')
run_command(
cmd='satellite-installer --foreman-proxy-realm true '
f'--foreman-proxy-realm-principal realm-proxy@{realm} '
f'--foreman-proxy-dhcp-nameservers {socket.gethostbyname(settings.ipa.hostname)}'
)
run_command(
cmd='cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt')
run_command(cmd='update-ca-trust enable ; update-ca-trust')
run_command(cmd='service foreman-proxy restart')
def rh_sso_hammer_auth_cleanup():
"""restore the hammer config backup file and rhsso client settings"""
run_command(f"mv {HAMMER_CONFIG}.backup {HAMMER_CONFIG}")
client_config = {"publicClient": "false"}
update_client_configuration(client_config)
def test_single_sign_on_ldap_ipa_server(enroll_idm_and_configure_external_auth, ldap_tear_down):
"""Verify the single sign-on functionality with external authentication
:id: 9813a4da-4639-11ea-9780-d46d6dd3b5b2
:setup: Enroll the IDM Configuration for External Authentication
:steps: Assert single sign-on session user directed to satellite instead login page
:expectedresults: After single sign on user should redirected from /extlogin to /hosts page
"""
# register the satellite with IPA for single sign-on and update external auth
try:
run_command(cmd="subscription-manager repos --enable rhel-7-server-optional-rpms")
run_command(cmd='satellite-installer --foreman-ipa-authentication=true', timeout=800)
run_command('foreman-maintain service restart', timeout=300)
result = run_command(
cmd="curl -k -u : --negotiate https://{}/users/extlogin/".format(
settings.server.hostname
),
hostname=settings.ipa.hostname_ipa,
)
result = ''.join(result)
assert 'redirected' in result
assert 'https://{}/hosts'.format(settings.server.hostname) in result
assert 'You are being' in result
finally:
# resetting the settings to default for external auth
run_command(cmd='satellite-installer --foreman-ipa-authentication=false', timeout=800)
run_command('foreman-maintain service restart', timeout=300)
run_command(
cmd='ipa service-del HTTP/{}'.format(settings.server.hostname),
hostname=settings.ipa.hostname_ipa,
)
run_command(
cmd='ipa host-del {}'.format(settings.server.hostname),
hostname=settings.ipa.hostname_ipa,
)
def foreman_service_teardown():
"""stop and restart of foreman service"""
yield
run_command('foreman-maintain service start --only=foreman')
def enroll_ad_and_configure_external_auth():
"""Enroll Satellite Server to an AD Server."""
packages = (
'sssd adcli realmd ipa-python-compat krb5-workstation '
'samba-common-tools gssproxy nfs-utils ipa-client'
)
realm = settings.ldap.realm
workgroup = realm.split(".")[0]
default_content = f"[global]\nserver = unused\nrealm = {realm}"
keytab_content = (
f"[global]\nworkgroup = {workgroup}\nrealm = {realm}"
f"\nkerberos method = system keytab\nsecurity = ads"
)
# install the required packages
run_command(cmd=f'yum -y --disableplugin=foreman-protector install {packages}')
# update the AD name server
run_command(cmd="chattr -i /etc/resolv.conf")
result = run_command(
cmd="awk -v search='nameserver' '$0~search{print NR; exit}' /etc/resolv.conf"
)
line_number = int(''.join(result))
run_command(
cmd=f'sed -i "{line_number}i nameserver {settings.ldap.nameserver}" /etc/resolv.conf'
)
run_command(cmd="chattr +i /etc/resolv.conf")
# join the realm
run_command(cmd=f"echo {settings.ldap.password} | realm join -v {realm}")
run_command(cmd="touch /etc/ipa/default.conf")
run_command(cmd=f'echo "{default_content}" > /etc/ipa/default.conf')
run_command(cmd=f'echo "{keytab_content}" > /etc/net-keytab.conf')
# gather the apache id
result = run_command(cmd="id -u apache")
id_apache = "".join(result)
http_conf_content = (
f"[service/HTTP]\nmechs = krb5\ncred_store = keytab:/etc/krb5.keytab"
f"\ncred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U"
f"\neuid = {id_apache}"
)
# register the satellite as client for external auth
run_command(cmd=f'echo "{http_conf_content}" > /etc/gssproxy/00-http.conf')
token_command = (
"KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP "
"-U administrator -d3 -s /etc/net-keytab.conf"
)
run_command(cmd=f"echo {settings.ldap.password} | {token_command}")
run_command(cmd="chown root.apache /etc/httpd/conf/http.keytab")
run_command(cmd="chmod 640 /etc/httpd/conf/http.keytab")
def unsubscribe():
"""unregisters a machine from cdn"""
run_command('subscription-manager unregister')
run_command('subscription-manager clean')
def clean_rhsm():
"""removes pre-existing candlepin certs and resets RHSM."""
# removing the katello-ca-consumer
run_command('rpm -qa | grep katello-ca-consumer | xargs -r rpm -e')
