def test_rolecheck_DNS_CA(self): """ipa-backup rolecheck: start with a master with DNS and CA then gradually upgrade a replica to the DNS and CA roles. """ # single master: check that backup works. assert self._ipa_replica_role_check(self.master.hostname, self.serverroles['DNS']) assert self._ipa_replica_role_check(self.master.hostname, self.serverroles['CA']) assert not self._ipa_replica_role_check(self.master.hostname, self.serverroles['KRA']) self._check_rolecheck_backup_success(self.master) # install CA-less, DNS-less replica tasks.install_replica(self.master, self.replicas[0], setup_ca=False) assert not self._ipa_replica_role_check(self.replicas[0].hostname, self.serverroles['DNS']) assert not self._ipa_replica_role_check(self.replicas[0].hostname, self.serverroles['CA']) assert not self._ipa_replica_role_check(self.replicas[0].hostname, self.serverroles['KRA']) self._check_rolecheck_backup_success(self.master) self._check_rolecheck_backup_failure(self.replicas[0]) # install DNS on replica tasks.install_dns(self.replicas[0]) assert self._ipa_replica_role_check(self.replicas[0].hostname, self.serverroles['DNS']) self._check_rolecheck_backup_failure(self.replicas[0])
def test_install_dns_on_replica1_and_dnssec_on_master(self): """ install DNS server on replica and DNSSec on master """ tasks.install_dns(self.replicas[0]) args = [ "ipa-dns-install", "--dnssec-master", "--forwarder", self.master.config.dns_forwarder, "-U", ] self.master.run_command(args)
def test_install_dns_on_replica1_and_dnssec_on_master(self): """ install DNS server on replica and DNSSec on master """ tasks.install_dns(self.replicas[0]) args = [ "ipa-dns-install", "--dnssec-master", "--forwarder", self.master.config.dns_forwarder, "-U", ] self.master.run_command(args) Firewall(self.master).enable_service("dns")
def test_replica1_ipa_dns_install(self): tasks.install_dns(self.replicas[1])
def test_install_dns(self): tasks.install_dns(self.master)
def test_install_dns(self): tasks.install_dns( self.master, extra_args=['--dnssec-master', '--no-dnssec-validation'] )
def test_replica2_ipa_dns_install(self): tasks.install_dns(self.replicas[2])
def test_install_dns(self): tasks.install_dns(self.master)
def test_install_dns(self): tasks.install_dns( self.master, extra_args=['--dnssec-master', '--no-dnssec-validation'])
def install(cls, mh): tasks.install_master(cls.master) tasks.install_dns(cls.master)
def test_certmonger_reads_token_HSM(self): """Test if certmonger reads the token in HSM This is to ensure added HSM support for FreeIPA. This test adds certificate with sofhsm token and checks if certmonger is tracking it. related : https://pagure.io/certmonger/issue/125 """ test_service = 'test/%s' % self.master.hostname pkcs_passwd = 'Secret123' pin = '123456' noisefile = '/tmp/noisefile' self.master.put_file_contents(noisefile, os.urandom(64)) tasks.kinit_admin(self.master) tasks.install_dns(self.master) self.master.run_command(['ipa', 'service-add', test_service]) # create a csr cmd_args = ['certutil', '-d', paths.NSS_DB_DIR, '-R', '-a', '-o', '/root/ipa.csr', '-s', "CN=%s" % self.master.hostname, '-z', noisefile] self.master.run_command(cmd_args) # request certificate cmd_args = ['ipa', 'cert-request', '--principal', test_service, '--certificate-out', '/root/test.pem', '/root/ipa.csr'] self.master.run_command(cmd_args) # adding trust flag cmd_args = ['certutil', '-A', '-d', paths.NSS_DB_DIR, '-n', 'test', '-a', '-i', '/root/test.pem', '-t', 'u,u,u'] self.master.run_command(cmd_args) # export pkcs12 file cmd_args = ['pk12util', '-o', '/root/test.p12', '-d', paths.NSS_DB_DIR, '-n', 'test', '-W', pkcs_passwd] self.master.run_command(cmd_args) # add softhsm lib cmd_args = ['modutil', '-dbdir', paths.NSS_DB_DIR, '-add', 'softhsm', '-libfile', '/usr/lib64/softhsm/libsofthsm.so'] self.master.run_command(cmd_args, stdin_text="\n\n") # create a token cmd_args = ['softhsm2-util', '--init-token', '--label', 'test', '--pin', pin, '--so-pin', pin, '--free'] self.master.run_command(cmd_args) self.master.run_command(['softhsm2-util', '--show-slots']) cmd_args = ['certutil', '-F', '-d', paths.NSS_DB_DIR, '-n', 'test'] self.master.run_command(cmd_args) cmd_args = ['pk12util', '-i', '/root/test.p12', '-d', paths.NSS_DB_DIR, '-h', 'test', '-W', pkcs_passwd, '-K', pin] self.master.run_command(cmd_args) cmd_args = ['certutil', '-A', '-d', paths.NSS_DB_DIR, '-n', 'IPA CA', '-t', 'CT,,', '-a', '-i', paths.IPA_CA_CRT] self.master.run_command(cmd_args) # validate the certificate self.master.put_file_contents('/root/pinfile', pin) cmd_args = ['certutil', '-V', '-u', 'V', '-e', '-d', paths.NSS_DB_DIR, '-h', 'test', '-n', 'test:test', '-f', '/root/pinfile'] result = self.master.run_command(cmd_args) assert 'certificate is valid' in result.stdout_text # add certificate tracking to certmonger cmd_args = ['ipa-getcert', 'start-tracking', '-d', paths.NSS_DB_DIR, '-n', 'test', '-t', 'test', '-P', pin, '-K', test_service] result = self.master.run_command(cmd_args) request_id = re.findall(r'\d+', result.stdout_text) # check if certificate is tracked by certmonger status = tasks.wait_for_request(self.master, request_id[0], 300) assert status == "MONITORING" # ensure if key and token are re-usable cmd_args = ['getcert', 'resubmit', '-i', request_id[0]] self.master.run_command(cmd_args) status = tasks.wait_for_request(self.master, request_id[0], 300) assert status == "MONITORING"