def install(cls, mh):
# External DNS is only available before install so cache a copy
# of the *ipa-epn-client package so we can experimentally remove
# it later.
#
# Notes:
# - A package can't be downloaded that is already installed so we
# have to remove it first.
# - dnf cleans up previously downloaded locations so make a copy it
# doesn't know about.
# - Adds a class variable, pkg, containing the package name of
# the downloaded *ipa-client-epn rpm.
tasks.uninstall_packages(cls.clients[0], EPN_PKG)
pkgdir = tasks.download_packages(cls.clients[0], EPN_PKG)
pkg = cls.clients[0].run_command(r'ls -1 {}'.format(pkgdir))
cls.pkg = pkg.stdout_text.strip()
cls.clients[0].run_command(
['cp', os.path.join(pkgdir, cls.pkg), '/tmp'])
cls.clients[0].run_command(r'rm -rf {}'.format(pkgdir))
tasks.install_packages(cls.master, EPN_PKG)
tasks.install_packages(cls.master, ["postfix"])
tasks.install_packages(cls.clients[0], EPN_PKG)
tasks.install_packages(cls.clients[0], ["postfix"])
for host in (cls.master, cls.clients[0]):
try:
tasks.install_packages(host, ["cyrus-sasl"])
except Exception:
# the package is likely already installed
pass
tasks.install_master(cls.master, setup_dns=True)
tasks.install_client(cls.master, cls.clients[0])
configure_postfix(cls.master, cls.master.domain.realm)
configure_postfix(cls.clients[0], cls.master.domain.realm)
def test_ipa_adtrust_install_with_locale_issue8066(self):
"""
This test checks that ipa-adtrust-install command runs successfully
on a system with locale en_IN.UTF-8 without displaying error below
'IndexError: list index out of range'
This is a testcase for Pagure issue
https://pagure.io/freeipa/issue/8066
"""
# Set locale to en_IN.UTF-8 in .bashrc file to avoid reboot
tasks.kinit_admin(self.master)
BASHRC_CFG = "/root/.bashrc"
bashrc_backup = tasks.FileBackup(self.master, BASHRC_CFG)
exp_msg = "en_IN.UTF-8"
try:
self.master.run_command(
'echo "export LC_TIME=en_IN.UTF-8" >> ' + BASHRC_CFG
)
result = self.master.run_command('echo "$LC_TIME"')
assert result.stdout_text.rstrip() == exp_msg
# Install ipa-server-adtrust and check status
msg1 = (
"Unexpected error - see /var/log/ipaserver-install.log"
"for details"
)
msg2 = "IndexError: list index out of range"
tasks.install_packages(self.master, ["*ipa-server-trust-ad"])
result = self.master.run_command(
["ipa-adtrust-install", "-U"], raiseonerr=False
)
assert msg1 not in result.stderr_text
assert msg2 not in result.stderr_text
finally:
bashrc_backup.restore()
def test_ipa_certs_check_ipacertnsstrust(self):
"""
Test checks the output for IPACertNSSTrust when kra is installed
on the IPA system using ipa-kra-install
"""
cmd = tasks.install_kra(self.master)
assert cmd.returncode == 0
tasks.install_packages(self.master, HEALTHCHECK_PKG)
self.master.run_command(
[
"ipa-healthcheck",
"--source",
"ipahealthcheck.ipa.certs",
"--check",
"IPACertNSSTrust",
"--output-file",
HEALTHCHECK_OUTPUT_FILE,
],
raiseonerr=False,
)
contents = self.master.get_file_contents(HEALTHCHECK_OUTPUT_FILE,
encoding="utf-8")
data = json.loads(contents)
for check in data:
assert check["result"] == "SUCCESS"
assert (check["kw"]["key"] in DEFAULT_PKI_CA_CERTS
or check["kw"]["key"] in DEFAULT_PKI_KRA_CERTS)
tasks.uninstall_master(self.master)
def test_ipa_dns_systemrecords_check(self):
"""
Test checks the result of IPADNSSystemRecordsCheck
when ipa-server is configured without DNS.
"""
msg1 = "Expected SRV record missing"
msg2 = "Got {count} ipa-ca A records, expected {expected}"
tasks.install_packages(self.master, HEALTHCHECK_PKG)
self.master.run_command(
[
"ipa-healthcheck",
"--source",
"ipahealthcheck.ipa.idns",
"--check",
"IPADNSSystemRecordsCheck",
"--output-file",
HEALTHCHECK_OUTPUT_FILE,
],
raiseonerr=False,
)
contents = self.master.get_file_contents(HEALTHCHECK_OUTPUT_FILE,
encoding="utf-8")
data = json.loads(contents)
for check in data:
assert check["result"] == "WARNING"
assert check["kw"]["msg"] == msg1 or check["kw"]["msg"] == msg2
def test_restore_trust_pkg_before_restore(self):
"""Test restore with adtrust when trust-ad pkg is missing.
Test for bug https://pagure.io/freeipa/issue/7630.
"""
tasks.install_packages(self.master, ['*ipa-server-trust-ad'])
self.master.run_command(['ipa-adtrust-install', '-U',
'--enable-compat', '--netbios-name', 'IPA',
'-a', self.master.config.admin_password,
'--add-sids'])
with restore_checker(self.master):
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
tasks.uninstall_packages(self.master, ['*ipa-server-trust-ad'])
dirman_password = self.master.config.dirman_password
result = self.master.run_command(
['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes',
raiseonerr=False)
assert 'Please install the package' in result.stderr_text
tasks.install_packages(self.master, ['*ipa-server-trust-ad'])
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
def prepare_acme_client(cls):
# cache the acme service uri
acme_host = f'{IPA_CA_RECORD}.{cls.master.domain.name}'
cls.acme_server = f'https://{acme_host}/acme/directory'
# install acme client packages
if not skip_certbot_tests:
tasks.install_packages(cls.clients[0], ['certbot'])
if not skip_mod_md_tests:
tasks.install_packages(cls.clients[0], ['mod_md'])
def install(cls, mh):
tasks.install_packages(cls.master, EPN_PKG)
tasks.install_packages(cls.master, ["postfix"])
tasks.install_packages(cls.clients[0], EPN_PKG)
tasks.install_packages(cls.clients[0], ["postfix"])
for host in (cls.master, cls.clients[0]):
try:
tasks.install_packages(host, ["cyrus-sasl"])
except Exception:
# the package is likely already installed
pass
tasks.install_master(cls.master, setup_dns=True)
tasks.install_client(cls.master, cls.clients[0])
configure_postfix(cls.master, cls.master.domain.realm)
configure_postfix(cls.clients[0], cls.master.domain.realm)
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore.
Test for bug https://pagure.io/freeipa/issue/7630.
"""
with restore_checker(self.master):
self.master.run_command([
'ipa',
'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = tasks.get_backup_dir(self.master)
self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
tasks.uninstall_packages(self.master, ['*ipa-server-dns'])
dirman_password = self.master.config.dirman_password
result = self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password +
'\nyes',
raiseonerr=False)
assert 'Please install the package' in result.stderr_text
tasks.install_packages(self.master, ['*ipa-server-dns'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
if reinstall:
# If the server was reinstalled, reinstall may have changed
# the uid and restore reverts to the original value.
# clear the cache to make sure we get up-to-date values
tasks.clear_sssd_cache(self.master)
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa',
'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_ipa_healthcheck_dna_plugin_returns_warning_pagure_issue_60(self):
"""
This testcase checks that the status for IPADNARangeCheck on replica
changes from WARNING to SUCCESS when user is added on the replica
as the DNA range is set.
Issue: freeipa/freeipa-healthcheck#60
"""
returncode, data = run_healthcheck(
self.master,
"ipahealthcheck.ipa.dna",
"IPADNARangeCheck",
)
assert returncode == 0
for check in data:
assert check["result"] == "SUCCESS"
# Install ipa-healthcheck rpm on replica
tasks.install_packages(self.replicas[0], HEALTHCHECK_PKG)
returncode, data = run_healthcheck(
self.replicas[0],
"ipahealthcheck.ipa.dna",
"IPADNARangeCheck",
)
assert returncode == 1
for check in data:
assert check["result"] == "WARNING"
assert (
check["kw"]["msg"] == "No DNA range defined. If no masters "
"define a range then users and groups cannot be created.")
# Now kinit as admin and add a user on replica which will create a
# DNA configuration.
tasks.kinit_admin(self.replicas[0])
tasks.user_add(
self.replicas[0],
'ipauser1',
first='Test',
last='User',
)
# Now run the ipa-healthcheck command again
returncode, data = run_healthcheck(
self.replicas[0],
"ipahealthcheck.ipa.dna",
"IPADNARangeCheck",
)
assert returncode == 0
for check in data:
assert check["result"] == "SUCCESS"
def test_ipa_dns_systemrecords_check(self):
"""
Test checks the result of IPADNSSystemRecordsCheck
when ipa-server is configured without DNS.
"""
msg1 = "Expected SRV record missing"
msg2 = "Got {count} ipa-ca A records, expected {expected}"
tasks.install_packages(self.master, HEALTHCHECK_PKG)
returncode, data = run_healthcheck(
self.master,
"ipahealthcheck.ipa.idns",
"IPADNSSystemRecordsCheck",
)
assert returncode == 1
for check in data:
assert check["result"] == "WARNING"
assert check["kw"]["msg"] == msg1 or check["kw"]["msg"] == msg2
def test_ipa_certs_check_ipacertnsstrust(self):
"""
Test checks the output for IPACertNSSTrust when kra is installed
on the IPA system using ipa-kra-install
"""
cmd = tasks.install_kra(self.master)
assert cmd.returncode == 0
tasks.install_packages(self.master, HEALTHCHECK_PKG)
returncode, data = run_healthcheck(
self.master,
"ipahealthcheck.ipa.certs",
"IPACertNSSTrust",
)
assert returncode == 0
for check in data:
assert check["result"] == "SUCCESS"
assert (check["kw"]["key"] in DEFAULT_PKI_CA_CERTS
or check["kw"]["key"] in DEFAULT_PKI_KRA_CERTS)
tasks.uninstall_master(self.master)
def install(cls, mh):
for srv in (cls.master, cls.replicas[0]):
tasks.install_packages(srv, HEALTHCHECK_PKG)
# master with DNSSEC master
tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
cls.master.run_command([
"ipa-dns-install",
"--dnssec-master",
"--forwarder", cls.master.config.dns_forwarder,
"-U",
])
# hidden replica with CA and DNS
tasks.install_replica(
cls.master, cls.replicas[0],
setup_dns=True, setup_kra=False,
extra_args=('--hidden-replica',)
)
# manually install KRA to verify that hidden state is synced
tasks.install_kra(cls.replicas[0])
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore.
Test for bug https://pagure.io/freeipa/issue/7630.
"""
with restore_checker(self.master):
self.master.run_command([
'ipa',
'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = backup(self.master)
self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
tasks.uninstall_packages(self.master, ['*ipa-server-dns'])
dirman_password = self.master.config.dirman_password
result = self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password +
'\nyes',
raiseonerr=False)
assert 'Please install the package' in result.stderr_text
tasks.install_packages(self.master, ['*ipa-server-dns'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa',
'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_ipa_healthcheck_log_rotate_file_exist_issue35(self):
"""
This test checks if log rotation has been added
for ipa-healthcheck tool so that logs are rotated
in /var/log/ipa/healthcheck folder.
The test also checks that the logrotate configuration
file is syntactically correct by calling logrotate --debug
This is a testcase for below pagure issue
https://github.com/freeipa/freeipa-healthcheck/issues/35
"""
msg = "error: {}:".format(HEALTHCHECK_LOG_ROTATE_CONF)
tasks.uninstall_packages(self.master, HEALTHCHECK_PKG)
assert not self.master.transport.file_exists(
HEALTHCHECK_LOG_ROTATE_CONF)
tasks.install_packages(self.master, HEALTHCHECK_PKG)
assert self.master.transport.file_exists(HEALTHCHECK_LOG_ROTATE_CONF)
cmd = self.master.run_command(
['logrotate', '--debug', HEALTHCHECK_LOG_ROTATE_CONF])
assert msg not in cmd.stdout_text
def test_EPN_reinstall(self):
"""Test that EPN can be installed, uninstalled and reinstalled.
Since post-install we no longer have access to the repos
the package is downloaded and stored prior to server
installation.
"""
tasks.uninstall_packages(self.clients[0], EPN_PKG)
tasks.install_packages(self.clients[0],
[os.path.join('/tmp', self.pkg)])
self.clients[0].run_command(r'rm -f /tmp/{}'.format(self.pkg))
# re-installing will create a new epn.conf so any execution
# of ipa-epn will verify the reinstall was ok. Since the previous
# test would have failed this one should be ok with new config.
# Re-run the admin user expected failure
(unused, stderr_text, _unused) = self._check_epn_output(self.master,
dry_run=True)
assert "uid=admin" in stderr_text
def setup_keycloakserver(host, version='17.0.0'):
dir = "/opt/keycloak"
password = host.config.admin_password
tasks.install_packages(host, [
"unzip", "java-11-openjdk-headless", "openssl", "maven", "wget",
"firefox", "xorg-x11-server-Xvfb"
])
# add keycloak system user/group and folder
url = "https://github.com/keycloak/keycloak/releases/download/{0}/keycloak-{0}.zip".format(
version) # noqa: E501
host.run_command(["wget", url, "-O", "{0}-{1}.zip".format(dir, version)])
host.run_command(
["unzip", "{0}-{1}.zip".format(dir, version), "-d", "/opt/"])
host.run_command(["mv", "{0}-{1}".format(dir, version), dir])
host.run_command(["groupadd", "keycloak"])
host.run_command(
["useradd", "-r", "-g", "keycloak", "-d", dir, "keycloak"])
host.run_command(["chown", "-R", "keycloak:", dir])
host.run_command(["chmod", "o+x", "{0}/bin/".format(dir)])
host.run_command(["restorecon", "-R", dir])
# setup TLS certificate using IPA CA
host.run_command(["kinit", "-k"])
host.run_command(["ipa", "service-add", "HTTP/{0}".format(host.hostname)])
key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key")
crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt")
keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store")
host.run_command([
"ipa-getcert", "request", "-K", "HTTP/{0}".format(host.hostname), "-D",
host.hostname, "-o", "keycloak", "-O", "keycloak", "-m", "0600", "-M",
"0644", "-k", key, "-f", crt, "-w"
])
host.run_command([
"keytool", "-import", "-keystore", keystore, "-file",
"/etc/ipa/ca.crt", "-alias", "ipa_ca", "-trustcacerts", "-storepass",
password, "-noprompt"
])
host.run_command(["chown", "keycloak:keycloak", keystore])
# Setup keycloak service and config files
contents = textwrap.dedent("""
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD={admin_pswd}
KC_HOSTNAME={host}:8443
KC_HTTPS_CERTIFICATE_FILE={crt}
KC_HTTPS_CERTIFICATE_KEY_FILE={key}
KC_HTTPS_TRUST_STORE_FILE={store}
KC_HTTPS_TRUST_STORE_PASSWORD={store_pswd}
KC_HTTP_RELATIVE_PATH=/auth
""").format(admin_pswd=password,
host=host.hostname,
crt=crt,
key=key,
store=keystore,
store_pswd=password)
host.put_file_contents("/etc/sysconfig/keycloak", contents)
contents = textwrap.dedent("""
[Unit]
Description=Keycloak Server
After=network.target
[Service]
Type=idle
EnvironmentFile=/etc/sysconfig/keycloak
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak/bin/kc.sh start
TimeoutStartSec=600
TimeoutStopSec=600
[Install]
WantedBy=multi-user.target
""")
host.put_file_contents("/etc/systemd/system/keycloak.service", contents)
host.run_command(["systemctl", "daemon-reload"])
# Run build stage first
env_vars = textwrap.dedent("""
export KEYCLOAK_ADMIN=admin
export KC_HOSTNAME={hostname}:8443
export KC_HTTPS_CERTIFICATE_FILE=/etc/pki/tls/certs/keycloak.crt
export KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/pki/tls/private/keycloak.key
export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.store
export KC_HTTPS_TRUST_STORE_PASSWORD={STORE_PASS}
export KEYCLOAK_ADMIN_PASSWORD={ADMIN_PASS}
export KC_HTTP_RELATIVE_PATH=/auth
""").format(hostname=host.hostname,
STORE_PASS=password,
ADMIN_PASS=password)
content = host.get_file_contents('/etc/bashrc', encoding='utf-8')
new_content = content + "\n{}".format(env_vars)
host.put_file_contents('/etc/bashrc', new_content)
host.run_command(['bash'])
host.run_command(
['su', '-', 'keycloak', '-c', '/opt/keycloak/bin/kc.sh build'])
host.run_command(["systemctl", "start", "keycloak"])
host.run_command(["/opt/keycloak/bin/kc.sh", "show-config"])
# Setup keycloak for use:
kcadmin_sh = "/opt/keycloak/bin/kcadm.sh"
host.run_command([
kcadmin_sh, "config", "truststore", "--trustpass", password, keystore
])
kcadmin = [
kcadmin_sh, "config", "credentials", "--server",
"https://{0}:8443/auth/".format(host.hostname), "--realm", "master",
"--user", "admin", "--password", password
]
tasks.run_repeatedly(host, kcadmin, timeout=60)
host.run_command([
kcadmin_sh, "create", "users", "-r", "master", "-s",
"username=testuser1", "-s", "enabled=true", "-s",
"[email protected]"
])
host.run_command([
kcadmin_sh, "set-password", "-r", "master", "--username", "testuser1",
"--new-password", password
])
def test_rolecheck_Trust(self):
"""ipa-backup rolecheck: add Trust controllers/agents.
"""
# install AD Trust packages on replica first
tasks.install_packages(self.replicas[0], ['*ipa-server-trust-ad'])
self._check_rolecheck_backup_success(self.replicas[0])
self._check_rolecheck_backup_success(self.master)
tasks.install_packages(self.master, ['*ipa-server-trust-ad'])
# make replicas[0] become Trust Controller
self.replicas[0].run_command([
'ipa-adtrust-install', '-U', '--netbios-name', 'IPA',
'-a', self.master.config.admin_password,
'--add-sids'
])
# wait for replication to propagate the change on
# cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test
# as the ipa server-role-find call is using this entry to
# build its output
tasks.wait_for_replication(self.replicas[0].ldap_connect())
# double-check
assert self._ipa_replica_role_check(
self.replicas[0].hostname, self.serverroles['ADTC']
)
# check that master has no AD Trust-related role
assert not self._ipa_replica_role_check(
self.master.hostname, self.serverroles['ADTA']
)
self._check_rolecheck_backup_success(self.replicas[0])
self._check_rolecheck_backup_failure(self.master)
# make master become Trust Agent
cmd_input = (
# admin password:
self.master.config.admin_password + '\n' +
# WARNING: The smb.conf already exists. Running ipa-adtrust-install
# will break your existing samba configuration.
# Do you wish to continue? [no]:
'yes\n'
# Enable trusted domains support in slapi-nis? [no]:
'\n' +
# WARNING: 1 IPA masters are not yet able to serve information
# about users from trusted forests.
# Installer can add them to the list of IPA masters allowed to
# access information about trusts.
# If you choose to do so, you also need to restart LDAP service on
# those masters.
# Refer to ipa-adtrust-install(1) man page for details.
# IPA master[replica1.testrelm.test]?[no]:
'yes\n'
)
self.replicas[0].run_command([
'ipa-adtrust-install', '--add-agents'], stdin_text=cmd_input
)
# wait for replication to propagate the change on
# cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test
# as the ipa server-role-find call is using this entry to
# build its output
tasks.wait_for_replication(self.replicas[0].ldap_connect())
# check that master is now an AD Trust agent
assert self._ipa_replica_role_check(
self.master.hostname, self.serverroles['ADTA']
)
# but not an AD Trust controller
assert not self._ipa_replica_role_check(
self.master.hostname, self.serverroles['ADTC']
)
self._check_rolecheck_backup_success(self.replicas[0])
self._check_rolecheck_backup_failure(self.master)
# make master become Trust Controller
self.master.run_command([
'ipa-adtrust-install', '-U', '--netbios-name', 'IPA',
'-a', self.master.config.admin_password,
'--add-sids'
])
# wait for replication to propagate the change on
# cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test
# as the ipa server-role-find call is using this entry to
# build its output
tasks.wait_for_replication(self.master.ldap_connect())
# master and replicas[0] are both AD Trust Controllers now.
for hostname in [self.master.hostname, self.replicas[0].hostname]:
assert self._ipa_replica_role_check(
hostname, self.serverroles['ADTC']
)
self._check_rolecheck_backup_success(self.master)
self._check_rolecheck_backup_success(self.replicas[0])
# switch replicas[0] to hidden
self.replicas[0].run_command([
'ipa', 'server-state',
self.replicas[0].hostname, '--state=hidden'
])
self._check_rolecheck_backup_success(self.master)
self._check_rolecheck_backup_success(self.replicas[0])
def test_ipa_healthcheck_install_on_master(self):
"""
Testcase to check healthcheck package is installed
succesfully on IPA master.
"""
tasks.install_packages(self.master, HEALTHCHECK_PKG)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
tasks.install_packages(cls.master, HEALTHCHECK_PKG)
def test_ipa_healthcheck_install_on_replica(self):
"""
Testcase to check healthcheck package is installed
succesfully on IPA replica.
"""
tasks.install_packages(self.replicas[0], HEALTHCHECK_PKG)
