def test_add_permission_failure_issue5923(self):
# https://pagure.io/freeipa/issue/5923
# error response used to contain bytes instead of text
tasks.kinit_admin(self.master)
# neither privilege nor permission exists
result = self.master.run_command([
"ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"
],
raiseonerr=False)
assert result.returncode == 2
err = result.stderr_text.strip() # pylint: disable=no-member
assert err == "ipa: ERROR: loc: privilege not found"
# add privilege
result = self.master.run_command(["ipa", "privilege-add", "loc"], )
assert 'Added privilege "loc"' in result.stdout_text
# permission is still missing
result = self.master.run_command([
"ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"
],
raiseonerr=False)
assert result.returncode == 1
assert "Number of permissions added 0" in result.stdout_text
def install(cls, mh):
super(TestRulesWithServicePrincipals, cls).install(mh)
master = cls.master
tasks.kinit_admin(master)
cls.replica = "replica.%s" % master.domain.name
master.run_command(['ipa', 'host-add', cls.replica, '--force'])
cls.service_name = "svc/%s" % master.hostname
cls.replica_service_name = "svc/%s" % cls.replica
master.run_command("ipa service-add %s" % cls.service_name)
master.run_command("ipa service-add %s --force" %
cls.replica_service_name)
master.run_command("ipa service-add-host %s --hosts %s" %
(cls.service_name, cls.replica))
master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl)
master.run_command("ipa caacl-add-host %s --hosts %s" %
(cls.caacl, cls.replica))
master.run_command("ipa caacl-add-service %s --services"
" svc/`hostname`" % cls.caacl)
master.run_command("ipa-getkeytab -p host/%s@%s -k %s" %
(cls.replica, master.domain.realm, cls.keytab))
master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica))
# Prepare a CSR
cls.prepare_config()
stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica
master.run_command([
'openssl', 'req', '-config', cls.csr_conf, '-new', '-out', cls.csr
],
stdin_text=stdin_text)
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore"""
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_stageuser_show_as_alternate_admin(self):
"""
Test that a user member of admins group can call stageuser-show
and read the 'Kerberos Keys available' information.
This is a test case for issue 7342
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a new stage user 'stageuser' with a password
stageuser = '******'
password = '******'
stageuser_password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'stageuser-add', stageuser,
'--first', stageuser,
'--last', stageuser,
'--password'],
stdin_text=stageuser_password_confirmation)
# kinit as altadmin
self.master.run_command(['kinit', self.altadmin],
stdin_text=self.master.config.admin_password)
# call ipa stageuser-show
# the field Kerberos Keys available must contain True
result = self.master.run_command(['ipa', 'stageuser-show', stageuser])
assert 'Kerberos keys available: True' in result.stdout_text
def test_delete_preserve_as_alternate_admin(self):
"""
Test that a user member of admins group can call delete --preserve.
This is a test case for issue 7342
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a new user 'testuser' with a password
testuser = '******'
password = '******'
testuser_password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', testuser,
'--first', testuser,
'--last', testuser,
'--password'],
stdin_text=testuser_password_confirmation)
# kinit as altadmin
self.master.run_command(['kinit', self.altadmin],
stdin_text=self.master.config.admin_password)
# call ipa user-del --preserve
self.master.run_command(['ipa', 'user-del', '--preserve', testuser])
def test_delete_preserve_as_alternate_admin(self):
"""
Test that a user member of admins group can call delete --preserve.
This is a test case for issue 7342
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a new user 'testuser' with a password
testuser = '******'
password = '******'
testuser_password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', testuser,
'--first', testuser,
'--last', testuser,
'--password'],
stdin_text=testuser_password_confirmation)
# kinit as altadmin
self.master.run_command(['kinit', self.altadmin],
stdin_text=self.master.config.admin_password)
# call ipa user-del --preserve
self.master.run_command(['ipa', 'user-del', '--preserve', testuser])
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(self.master)
assert result.returncode == 0
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
# check that we can also install replica
tasks.install_replica(self.master, self.replicas[0])
# check that nsds5ReplicaReleaseTimeout option was set
result = self.master.run_command([
'ldapsearch',
'-x',
'-D',
'cn=directory manager',
'-w', self.master.config.dirman_password,
'-b', 'cn=mapping tree,cn=config',
'(cn=replica)',
'-LLL',
'-o',
'ldif-wrap=no'])
assert 'nsds5ReplicaReleaseTimeout: 60' in result.stdout_text
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(self.master)
assert result.returncode == 0
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
# check that we can also install replica
tasks.install_replica(self.master, self.replicas[0])
# check that nsds5ReplicaReleaseTimeout option was set
result = self.master.run_command([
'ldapsearch', '-x', '-D', 'cn=directory manager', '-w',
self.master.config.dirman_password, '-b',
'cn=mapping tree,cn=config', '(cn=replica)', '-LLL', '-o',
'ldif-wrap=no'
])
# case insensitive match
text = result.stdout_text.lower()
# see ipaserver.install.replication.REPLICA_FINAL_SETTINGS
assert 'nsds5ReplicaReleaseTimeout: 60'.lower() in text
assert 'nsDS5ReplicaBindDnGroupCheckInterval: 60'.lower() in text
def test_stageuser_show_as_alternate_admin(self):
"""
Test that a user member of admins group can call stageuser-show
and read the 'Kerberos Keys available' information.
This is a test case for issue 7342
"""
# kinit admin
tasks.kinit_admin(self.master)
# Create a new stage user 'stageuser' with a password
stageuser = '******'
password = '******'
stageuser_password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'stageuser-add', stageuser,
'--first', stageuser,
'--last', stageuser,
'--password'],
stdin_text=stageuser_password_confirmation)
# kinit as altadmin
self.master.run_command(['kinit', self.altadmin],
stdin_text=self.master.config.admin_password)
# call ipa stageuser-show
# the field Kerberos Keys available must contain True
result = self.master.run_command(['ipa', 'stageuser-show', stageuser])
assert 'Kerberos keys available: True' in result.stdout_text
def test_establish_trust(self):
""" Tests establishing non-external trust with Active Directory """
self.master.run_command([
'kinit', '-kt', paths.HTTP_KEYTAB,
'HTTP/%s' % self.master.hostname
])
self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
self.master.run_command(['kdestroy', '-A'])
tasks.kinit_admin(self.master)
self.master.run_command(['klist'])
self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
result = self.master.run_command(
[
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain,
'--admin', 'Administrator', '--password', '--range-type',
'ipa-ad-trust'
],
stdin_text=self.master.config.ad_admin_password,
raiseonerr=False)
assert result != 0
assert ("Domain '{0}' is not a root domain".format(self.ad_treedomain)
in result.stderr_text)
def test_external_ca(self):
# Step 1 of ipa-server-install
self.master.run_command([
'ipa-server-install', '-U', '-a',
self.master.config.admin_password, '-p',
self.master.config.dirman_password, '--setup-dns',
'--no-forwarders', '-n', self.master.domain.name, '-r',
self.master.domain.realm,
'--domain-level=%i' % self.master.config.domain_level,
'--external-ca'
])
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install
self.master.run_command([
'ipa-server-install', '-a', self.master.config.admin_password,
'-p', self.master.config.dirman_password, '--external-cert-file',
ipa_ca_fname, '--external-cert-file', root_ca_fname
])
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
def test_add_permission_failure_issue5923(self):
# https://pagure.io/freeipa/issue/5923
# error response used to contain bytes instead of text
tasks.kinit_admin(self.master)
# neither privilege nor permission exists
result = self.master.run_command(
["ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"],
raiseonerr=False
)
assert result.returncode == 2
err = result.stderr_text.strip() # pylint: disable=no-member
assert err == "ipa: ERROR: loc: privilege not found"
# add privilege
result = self.master.run_command(
["ipa", "privilege-add", "loc"],
)
assert 'Added privilege "loc"' in result.stdout_text
# permission is still missing
result = self.master.run_command(
["ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"],
raiseonerr=False
)
assert result.returncode == 1
assert "Number of permissions added 0" in result.stdout_text
def install(cls, mh):
super(TestRulesWithServicePrincipals, cls).install(mh)
master = cls.master
tasks.kinit_admin(master)
cls.replica = "replica.%s" % master.domain.name
master.run_command(['ipa', 'host-add', cls.replica, '--force'])
cls.service_name = "svc/%s" % master.hostname
cls.replica_service_name = "svc/%s" % cls.replica
master.run_command("ipa service-add %s" % cls.service_name)
master.run_command("ipa service-add %s --force" %
cls.replica_service_name)
master.run_command("ipa service-add-host %s --hosts %s" % (
cls.service_name, cls.replica))
master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl)
master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl,
cls.replica))
master.run_command("ipa caacl-add-service %s --services"
" svc/`hostname`" % cls.caacl)
master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % (
cls.replica, master.domain.realm, cls.keytab))
master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica))
# Prepare a CSR
cls.prepare_config()
stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica
master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new',
'-out', cls.csr], stdin_text=stdin_text)
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore"""
with restore_checker(self.master):
self.master.run_command([
'ipa',
'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = backup(self.master)
self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa',
'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def teardown_method(self, method):
self.replicas[0].run_command(['ipa-client-install',
'--uninstall', '-U'],
raiseonerr=False)
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'host-del',
self.replicas[0].hostname],
raiseonerr=False)
def teardown_method(self, method):
self.replicas[0].run_command(['ipa-client-install',
'--uninstall', '-U'],
raiseonerr=False)
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'host-del',
self.replicas[0].hostname],
raiseonerr=False)
def test_service_as_user_admin(self):
"""Test that a service in User Administrator role can manage users"""
service_name = 'testservice/%s@%s' % (self.master.hostname,
self.master.domain.realm)
keytab_file = os.path.join(self.master.config.test_dir,
'testservice_keytab')
# Prepare a service
self.master.run_command(['ipa', 'service-add', service_name])
self.master.run_command([
'ipa-getkeytab', '-p', service_name, '-k', keytab_file, '-s',
self.master.hostname
])
# Check that the service cannot add a user
self.master.run_command(['kdestroy'])
self.master.run_command(
['kinit', '-k', service_name, '-t', keytab_file])
result = self.master.run_command([
'ipa', 'role-add-member', 'User Administrator', '--service',
service_name
],
raiseonerr=False)
assert result.returncode > 0
# Add service to User Administrator role
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'role-add-member', 'User Administrator', '--service',
service_name
])
# Check that the service now can add a user
self.master.run_command(['kdestroy'])
self.master.run_command(
['kinit', '-k', service_name, '-t', keytab_file])
self.master.run_command([
'ipa', 'user-add', 'tuser', '--first', 'a', '--last', 'b',
'--random'
])
# Clean up
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'service-del', service_name])
self.master.run_command(['ipa', 'user-del', 'tuser'])
def teardown_method(self, method):
if len(config.domains) == 0:
# No YAML config was set
return
self.replicas[0].run_command(
['ipa-client-install', '--uninstall', '-U'], raiseonerr=False)
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'host-del', self.replicas[0].hostname],
raiseonerr=False)
def test_kra_install_master(self):
result1 = tasks.install_kra(self.master,
first_instance=True,
raiseonerr=False)
assert result1.returncode == 0, result1.stderr_text
tasks.kinit_admin(self.master)
result2 = self.master.run_command(["ipa", "vault-find"],
raiseonerr=False)
found = result2.stdout_text.find("0 vaults matched")
assert (found > 0), result2.stdout_text
def test_kra_install_master(self):
result1 = tasks.install_kra(self.master,
first_instance=True,
raiseonerr=False)
assert result1.returncode == 0, result1.stderr_text
tasks.kinit_admin(self.master)
result2 = self.master.run_command(["ipa", "vault-find"],
raiseonerr=False)
found = result2.stdout_text.find("0 vaults matched")
assert(found > 0), result2.stdout_text
def test_service_as_user_admin(self):
"""Test that a service in User Administrator role can manage users"""
service_name = 'testservice/%s@%s' % (self.master.hostname,
self.master.domain.realm)
keytab_file = os.path.join(self.master.config.test_dir,
'testservice_keytab')
# Prepare a service
self.master.run_command(['ipa', 'service-add', service_name])
self.master.run_command(['ipa-getkeytab',
'-p', service_name,
'-k', keytab_file,
'-s', self.master.hostname])
# Check that the service cannot add a user
self.master.run_command(['kdestroy'])
self.master.run_command(['kinit', '-k', service_name,
'-t', keytab_file])
result = self.master.run_command(['ipa', 'role-add-member',
'User Administrator',
'--service', service_name],
raiseonerr=False)
assert result.returncode > 0
# Add service to User Administrator role
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'role-add-member',
'User Administrator',
'--service', service_name])
# Check that the service now can add a user
self.master.run_command(['kdestroy'])
self.master.run_command(['kinit', '-k', service_name,
'-t', keytab_file])
self.master.run_command(['ipa', 'user-add', 'tuser',
'--first', 'a', '--last', 'b', '--random'])
# Clean up
self.master.run_command(['kdestroy'])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'service-del', service_name])
self.master.run_command(['ipa', 'user-del', 'tuser'])
def teardown_method(self, method):
if len(config.domains) == 0:
# No YAML config was set
return
self.replicas[0].run_command(['ipa-client-install',
'--uninstall', '-U'],
raiseonerr=False)
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'host-del',
self.replicas[0].hostname],
raiseonerr=False)
def run_advice(master, advice_id, advice_regex, raiseerr):
# Obtain the advice from the server
tasks.kinit_admin(master)
result = master.run_command(['ipa-advise', advice_id], raiseonerr=raiseerr)
if not result.stdout_text:
advice = result.stderr_text
else:
advice = result.stdout_text
assert re.search(advice_regex, advice, re.S)
def _full_backup_restore_with_vault(self, reinstall=False):
with restore_checker(self.master):
# create vault
self.master.run_command([
"ipa",
"vault-add",
self.vault_name,
"--password",
self.vault_password,
"--type",
"symmetric",
])
# archive secret
self.master.run_command([
"ipa",
"vault-archive",
self.vault_name,
"--password",
self.vault_password,
"--data",
self.vault_data,
])
# retrieve secret
self.master.run_command([
"ipa",
"vault-retrieve",
self.vault_name,
"--password",
self.vault_password,
])
backup_path = backup(self.master)
self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
# retrieve secret after restore
self.master.run_command([
"ipa",
"vault-retrieve",
self.vault_name,
"--password",
self.vault_password,
])
def run_advice(master, advice_id, advice_regex, raiseerr):
# Obtain the advice from the server
tasks.kinit_admin(master)
result = master.run_command(['ipa-advise', advice_id],
raiseonerr=raiseerr)
if not result.stdout_text:
advice = result.stderr_text
else:
advice = result.stdout_text
assert re.search(advice_regex, advice, re.S)
def test_service_access(self):
""" Test that user is granted access when authenticated using
credentials that are sufficient for a service, and denied access
when using insufficient credentials"""
service_name = 'testservice/%s@%s' % (self.master.hostname,
self.master.domain.realm)
keytab_file = os.path.join(self.master.config.test_dir,
'testservice_keytab')
# Prepare a service without authentication indicator
self.master.run_command(['ipa', 'service-add', service_name])
self.master.run_command(['ipa-getkeytab',
'-p', service_name,
'-k', keytab_file])
# Set authentication-type for admin user
self.master.run_command(['ipa', 'user-mod', 'admin',
'--user-auth-type=password',
'--user-auth-type=otp'])
# Authenticate
self.master.run_command(['kinit', '-k', service_name,
'-t', keytab_file])
# Verify access to service is granted
result = self.master.run_command(['kvno', service_name],
raiseonerr=False)
assert result.returncode == 0
# Obtain admin ticket to be able to update service
tasks.kinit_admin(self.master)
# Modify service to have authentication indicator
self.master.run_command(['ipa', 'service-mod', service_name,
'--auth-ind=otp'])
self.master.run_command(['ipa-getkeytab',
'-p', service_name,
'-k', keytab_file])
# Authenticate
self.master.run_command(['kinit', '-k', service_name,
'-t', keytab_file])
# Verify access to service is rejected
result = self.master.run_command(['kvno', service_name],
raiseonerr=False)
assert result.returncode > 0
def test_service_access(self):
""" Test that user is granted access when authenticated using
credentials that are sufficient for a service, and denied access
when using insufficient credentials"""
service_name = 'testservice/%s@%s' % (self.master.hostname,
self.master.domain.realm)
keytab_file = os.path.join(self.master.config.test_dir,
'testservice_keytab')
# Prepare a service without authentication indicator
self.master.run_command(['ipa', 'service-add', service_name])
self.master.run_command(
['ipa-getkeytab', '-p', service_name, '-k', keytab_file])
# Set authentication-type for admin user
self.master.run_command([
'ipa', 'user-mod', 'admin', '--user-auth-type=password',
'--user-auth-type=otp'
])
# Authenticate
self.master.run_command(
['kinit', '-k', service_name, '-t', keytab_file])
# Verify access to service is granted
result = self.master.run_command(['kvno', service_name],
raiseonerr=False)
assert result.returncode == 0
# Obtain admin ticket to be able to update service
tasks.kinit_admin(self.master)
# Modify service to have authentication indicator
self.master.run_command(
['ipa', 'service-mod', service_name, '--auth-ind=otp'])
self.master.run_command(
['ipa-getkeytab', '-p', service_name, '-k', keytab_file])
# Authenticate
self.master.run_command(
['kinit', '-k', service_name, '-t', keytab_file])
# Verify access to service is rejected
result = self.master.run_command(['kvno', service_name],
raiseonerr=False)
assert result.returncode > 0
def restore_checker(host):
"""Check that the IPA at host works the same at context enter and exit"""
tasks.kinit_admin(host)
results = []
for check, assert_func in CHECKS:
log.info('Storing result for %s', check)
results.append(check(host))
yield
for (check, assert_func), expected in zip(CHECKS, results):
log.info('Checking result for %s', check)
got = check(host)
assert_func(expected, got)
def test_certmap_match_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'certmap-match', paths.IPA_CA_CRT], raiseonerr=False)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'certmap-match', '--certificate', cab64], raiseonerr=False)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
def test_apply_advice(self):
# Obtain the advice from the server
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa-advise', self.advice_id])
advice = result.stdout_text
# Apply the advice on the legacy client
advice_path = os.path.join(self.legacy_client.config.test_dir,
'advice.sh')
self.legacy_client.put_file_contents(advice_path, advice)
result = self.legacy_client.run_command(['bash', '-x', '-e',
advice_path])
# Restart SSHD to load new PAM configuration
self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
def restore_checker(host):
"""Check that the IPA at host works the same at context enter and exit"""
tasks.kinit_admin(host)
results = []
for check, assert_func in CHECKS:
logger.info('Storing result for %s', check.__name__)
results.append(check(host))
yield
for (check, assert_func), expected in zip(CHECKS, results):
logger.info('Checking result for %s', check.__name__)
got = check(host)
assert_func(expected, got)
def test_apply_advice(self):
# Obtain the advice from the server
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa-advise', self.advice_id])
advice = result.stdout_text
# Apply the advice on the legacy client
advice_path = os.path.join(self.legacy_client.config.test_dir,
'advice.sh')
self.legacy_client.put_file_contents(advice_path, advice)
result = self.legacy_client.run_command(['bash', '-x', '-e',
advice_path])
# Restart SSHD to load new PAM configuration
self.legacy_client.run_command([paths.SBIN_SERVICE, 'sshd', 'restart'])
def test_installclient_as_user_admin(self):
"""ipa-client-install should not use hardcoded admin for principal
In ipaclient-install.log it should use the username that was entered
earlier in the install process at the prompt.
Related to : https://pagure.io/freeipa/issue/5406
"""
client = self.clients[0]
tasks.install_master(self.master)
tasks.kinit_admin(self.master)
username = '******'
password = '******'
password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', username,
'--first', username,
'--last', username,
'--password'],
stdin_text=password_confirmation)
role_add = ['ipa', 'role-add', 'useradmin']
self.master.run_command(role_add)
self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
self.master.run_command(['ipa', 'privilege-add-permission',
'--permissions', 'System: Add Hosts',
'Add Hosts'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Host Enrollment'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Add Hosts'])
role_member_add = ['ipa', 'role-add-member', 'useradmin',
'--users={}'.format(username)]
self.master.run_command(role_member_add)
user_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', username],
stdin_text=user_kinit)
tasks.install_client(self.master, client, user=username,
password=password)
msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
(username, client.domain.name)
install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
encoding='utf-8')
assert msg in install_log
def test_add_remove_segment(self):
"""
Make sure a topology segment can be manually created and deleted
with the influence on the real topology
Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:_Basic_CRUD_test
"""
tasks.kinit_admin(self.master)
# Install the second replica
tasks.install_replica(self.master,
self.replicas[1],
setup_ca=False,
setup_dns=False)
# turn a star into a ring
segment, err = tasks.create_segment(self.master, self.replicas[0],
self.replicas[1])
assert err == "", err
# Make sure the new segment is shown by `ipa topologysegment-find`
result1 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text
assert (segment['name']
in result1), ("%s: segment not found" % segment['name'])
# Remove master <-> replica2 segment and make sure that the changes get
# there through replica1
# Since segment name can be one of master-to-replica2 or
# replica2-to-master, we need to determine the segment name dynamically
deleteme = find_segment(self.master, self.replicas[1])
returncode, error = tasks.destroy_segment(self.master, deleteme)
assert returncode == 0, error
# Wait till replication ends and make sure replica1 does not have
# segment that was deleted on master
replica1_ldap = self.replicas[0].ldap_connect()
tasks.wait_for_replication(replica1_ldap)
result3 = self.replicas[0].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text
assert (deleteme not in result3), "%s: segment still exists" % deleteme
# Create test data on master and make sure it gets all the way down to
# replica2 through replica1
self.master.run_command([
'ipa', 'user-add', 'someuser', '--first', 'test', '--last', 'user'
])
dest_ldap = self.replicas[1].ldap_connect()
tasks.wait_for_replication(dest_ldap)
result4 = self.replicas[1].run_command(['ipa', 'user-find'])
assert ('someuser' in result4.stdout_text), 'User not found: someuser'
def test_add_remove_segment(self):
"""
Make sure a topology segment can be manually created and deleted
with the influence on the real topology
Testcase http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:_Basic_CRUD_test
"""
tasks.kinit_admin(self.master)
# Install the second replica
tasks.install_replica(self.master, self.replicas[1], setup_ca=False,
setup_dns=False)
# turn a star into a ring
segment, err = tasks.create_segment(self.master,
self.replicas[0],
self.replicas[1])
assert err == "", err
# Make sure the new segment is shown by `ipa topologysegment-find`
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
assert(segment['name'] in result1), (
"%s: segment not found" % segment['name'])
# Remove master <-> replica2 segment and make sure that the changes get
# there through replica1
# Since segment name can be one of master-to-replica2 or
# replica2-to-master, we need to determine the segment name dynamically
deleteme = find_segment(self.master, self.replicas[1])
returncode, error = tasks.destroy_segment(self.master, deleteme)
assert returncode == 0, error
# Wait till replication ends and make sure replica1 does not have
# segment that was deleted on master
replica1_ldap = self.replicas[0].ldap_connect()
tasks.wait_for_replication(replica1_ldap)
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
assert(deleteme not in result3), "%s: segment still exists" % deleteme
# Create test data on master and make sure it gets all the way down to
# replica2 through replica1
self.master.run_command(['ipa', 'user-add', 'someuser',
'--first', 'test',
'--last', 'user'])
dest_ldap = self.replicas[1].ldap_connect()
tasks.wait_for_replication(dest_ldap)
result4 = self.replicas[1].run_command(['ipa', 'user-find'])
assert('someuser' in result4.stdout_text), 'User not found: someuser'
def _full_backup_restore_with_vault(self, reinstall=False):
with restore_checker(self.master):
# create vault
self.master.run_command([
"ipa", "vault-add",
self.vault_name,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.master.run_command([
"ipa", "vault-archive",
self.vault_name,
"--password", self.vault_password,
"--data", self.vault_data,
])
# retrieve secret
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
# retrieve secret after restore
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
def test_cert_find_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
subject = 'CN=Certificate Authority,O={}'.format(
self.master.domain.realm)
# by cert file
result = self.master.run_command(
['ipa', 'cert-find', '--file', paths.IPA_CA_CRT])
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
# by base64 cert
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'cert-find', '--certificate', cab64])
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(self.master)
assert result.returncode == 0
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(self.master, ipa_ca_fname,
root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
def test_replica_after_domain_upgrade(self):
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
self.master.run_command(['ipa', 'user-add', self.username,
'--first', 'test',
'--last', 'user'])
tasks.wait_for_replication(self.replicas[0].ldap_connect())
self.master.run_command(['ipa', 'domainlevel-set',
str(DOMAIN_LEVEL_1)])
result = self.replicas[0].run_command(['ipa', 'user-show',
self.username])
assert("User login: %s" % self.username in result.stdout_text), (
"A testuser was not found on replica after domain upgrade")
self.replicas[0].run_command(['ipa', 'user-del', self.username])
tasks.wait_for_replication(self.master.ldap_connect())
result1 = self.master.run_command(['ipa', 'user-show', self.username],
raiseonerr=False)
assert_error(result1, "%s: user not found" % self.username, 2)
def test_external_ca(self):
# Step 1 of ipa-server-install.
result = install_server_external_ca_step1(self.master)
assert result.returncode == 0
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport(
self.master, paths.ROOT_IPA_CSR, ROOT_CA, IPA_CA)
# Step 2 of ipa-server-install.
result = install_server_external_ca_step2(
self.master, ipa_ca_fname, root_ca_fname)
assert result.returncode == 0
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
def install(cls, mh):
cls.username = '******'
tasks.install_master(cls.master, domain_level=cls.domain_level)
password = cls.master.config.dirman_password
cls.new_password = '******'
adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password)
user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password,
cls.new_password)
tasks.kinit_admin(cls.master)
cls.master.run_command(['ipa', 'user-add', cls.username, '--password',
'--first', 'John', '--last', 'Donn'],
stdin_text=adduser_stdin_text)
# Now we need to change the password for the user
cls.master.run_command(['kinit', cls.username],
stdin_text=user_kinit_stdin_text)
# And again kinit admin
tasks.kinit_admin(cls.master)
def install(cls, mh):
cls.username = '******'
tasks.install_master(cls.master, domain_level=cls.domain_level)
password = cls.master.config.dirman_password
cls.new_password = '******'
adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password)
user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password,
cls.new_password)
tasks.kinit_admin(cls.master)
cls.master.run_command(['ipa', 'user-add', cls.username, '--password',
'--first', 'John', '--last', 'Donn'],
stdin_text=adduser_stdin_text)
# Now we need to change the password for the user
cls.master.run_command(['kinit', cls.username],
stdin_text=user_kinit_stdin_text)
# And again kinit admin
tasks.kinit_admin(cls.master)
def test_replica_after_domain_upgrade(self):
tasks.kinit_admin(self.master)
tasks.kinit_admin(self.replicas[0])
self.master.run_command(['ipa', 'user-add', self.username,
'--first', 'test',
'--last', 'user'])
tasks.wait_for_replication(self.replicas[0].ldap_connect())
self.master.run_command(['ipa', 'domainlevel-set',
str(DOMAIN_LEVEL_1)])
result = self.replicas[0].run_command(['ipa', 'user-show',
self.username])
assert("User login: %s" % self.username in result.stdout_text), (
"A testuser was not found on replica after domain upgrade")
self.replicas[0].run_command(['ipa', 'user-del', self.username])
tasks.wait_for_replication(self.master.ldap_connect())
result1 = self.master.run_command(['ipa', 'user-show', self.username],
raiseonerr=False)
assert_error(result1, "%s: user not found" % self.username, 2)
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False):
with restore_checker(self.master):
self.master.run_command([
'ipa',
'dnszone-add',
self.example_test_zone,
'--dnssec',
'true',
])
assert wait_until_record_is_signed(self.master.ip,
self.example_test_zone,
self.log), "Zone is not signed"
backup_path = backup(self.master)
self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert wait_until_record_is_signed(
self.master.ip, self.example_test_zone,
self.log), ("Zone is not signed after "
"restore")
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa',
'dnszone-add',
self.example2_test_zone,
'--dnssec',
'true',
])
assert wait_until_record_is_signed(
self.master.ip, self.example2_test_zone,
self.log), "A new zone is not signed"
def install(cls, mh):
super(BaseTestLegacyClient, cls).install(mh)
tasks.kinit_admin(cls.master)
password_confirmation = (
cls.master.config.admin_password +
'\n' +
cls.master.config.admin_password
)
cls.master.run_command(['ipa', 'user-add', 'disabledipauser',
'--first', 'disabled',
'--last', 'ipauser',
'--password'],
stdin_text=password_confirmation)
cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
cls.ad = cls.ad_domains[0].ads[0]
cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
# Determine whether the subdomain AD is available
try:
child_ad = cls.host_by_role(cls.optional_extra_roles[0])
cls.ad_subdomain = '.'.join(
child_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_subdomain = None
# Determine whether the tree domain AD is available
try:
cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1])
cls.ad_treedomain = '.'.join(
cls.tree_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_treedomain = None
tasks.apply_common_fixes(cls.legacy_client)
for f in cls.backup_files:
tasks.backup_file(cls.legacy_client, f)
def test_invalid_range_types(self):
invalid_range_types = ['ipa-local',
'ipa-ad-winsync',
'ipa-ipa-trust',
'random-invalid',
're@ll%ybad12!']
for range_type in invalid_range_types:
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'trust-add', '--type', 'ad', self.ad_domain, '--admin',
'Administrator', '--range-type', range_type, '--password'],
raiseonerr=False,
stdin_text=self.master.config.ad_admin_password)
# The trust-add command is supposed to fail
assert result.returncode == 1
def test_topology_updated_on_replica_install_remove(self):
"""
Install and remove a replica and make sure topology information is
updated on all other replicas
Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:
_Replication_topology_should_be_saved_in_the_LDAP_tree
"""
tasks.kinit_admin(self.master)
result1 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME]).stdout_text
segment_name = self.segmentnames_re.findall(result1)[0]
assert (self.master.hostname in segment_name), (
"Segment %s does not contain master hostname" % segment_name)
assert (self.replicas[0].hostname in segment_name), (
"Segment %s does not contain replica hostname" % segment_name)
tasks.install_replica(self.master,
self.replicas[1],
setup_ca=False,
setup_dns=False)
# We need to make sure topology information is consistent across all
# replicas
result2 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
result3 = self.replicas[0].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
result4 = self.replicas[1].run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
segments = self.tokenize_topologies(result2.stdout_text)
assert (len(segments) == 2), "Unexpected number of segments found"
assert_deepequal(result2.stdout_text, result3.stdout_text)
assert_deepequal(result3.stdout_text, result4.stdout_text)
# Now let's check that uninstalling the replica will update the topology
# info on the rest of replicas.
# first step of uninstallation is removal of the replica on other
# master, then it can be uninstalled. Doing it the other way is also
# possible, but not reliable - some data might not be replicated.
tasks.clean_replication_agreement(self.master, self.replicas[1])
tasks.uninstall_master(self.replicas[1])
result5 = self.master.run_command(
['ipa', 'topologysegment-find', DOMAIN_SUFFIX_NAME])
num_entries = self.noentries_re.search(result5.stdout_text).group(1)
assert (num_entries == "1"), "Incorrect number of entries displayed"
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False):
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed"
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed after restore"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example2_test_zone)
), "A new zone is not signed"
def test_certmap_match_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'certmap-match', paths.IPA_CA_CRT],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'certmap-match', '--certificate', cab64],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
def install(cls, mh):
super(BaseTestLegacyClient, cls).install(mh)
tasks.kinit_admin(cls.master)
password_confirmation = (
cls.master.config.admin_password +
'\n' +
cls.master.config.admin_password
)
cls.master.run_command(['ipa', 'user-add', 'disabledipauser',
'--first', 'disabled',
'--last', 'ipauser',
'--password'],
stdin_text=password_confirmation)
cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
cls.ad = cls.ad_domains[0].ads[0]
cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
# Determine whether the subdomain AD is available
try:
child_ad = cls.host_by_role(cls.optional_extra_roles[0])
cls.ad_subdomain = '.'.join(
child_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_subdomain = None
# Determine whether the tree domain AD is available
try:
cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1])
cls.ad_treedomain = '.'.join(
cls.tree_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_treedomain = None
tasks.apply_common_fixes(cls.legacy_client)
for f in cls.backup_files:
tasks.backup_file(cls.legacy_client, f)
def test_cert_find_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
subject = 'CN=Certificate Authority,O={}'.format(
self.master.domain.realm)
# by cert file
result = self.master.run_command(
['ipa', 'cert-find', '--file', paths.IPA_CA_CRT]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
# by base64 cert
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'cert-find', '--certificate', cab64]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
def test_establish_trust(self):
""" Tests establishing non-external trust with Active Directory """
self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
'HTTP/%s' % self.master.hostname])
self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
self.master.run_command(['kdestroy', '-A'])
tasks.kinit_admin(self.master)
self.master.run_command(['klist'])
self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
result = self.master.run_command([
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin',
'Administrator', '--password', '--range-type', 'ipa-ad-trust'
], stdin_text=self.master.config.ad_admin_password,
raiseonerr=False)
assert result != 0
assert ("Domain '{0}' is not a root domain".format(
self.ad_treedomain) in result.stderr_text)
def test_topology_updated_on_replica_install_remove(self):
"""
Install and remove a replica and make sure topology information is
updated on all other replicas
Testcase: http://www.freeipa.org/page/V4/Manage_replication_topology/
Test_plan#Test_case:
_Replication_topology_should_be_saved_in_the_LDAP_tree
"""
tasks.kinit_admin(self.master)
result1 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
segment_name = self.segmentnames_re.findall(result1)[0]
assert(self.master.hostname in segment_name), (
"Segment %s does not contain master hostname" % segment_name)
assert(self.replicas[0].hostname in segment_name), (
"Segment %s does not contain replica hostname" % segment_name)
tasks.install_replica(self.master, self.replicas[1], setup_ca=False,
setup_dns=False)
# We need to make sure topology information is consistent across all
# replicas
result2 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
result4 = self.replicas[1].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
segments = self.tokenize_topologies(result2.stdout_text)
assert(len(segments) == 2), "Unexpected number of segments found"
assert_deepequal(result2.stdout_text, result3.stdout_text)
assert_deepequal(result3.stdout_text, result4.stdout_text)
# Now let's check that uninstalling the replica will update the topology
# info on the rest of replicas.
# first step of uninstallation is removal of the replica on other
# master, then it can be uninstalled. Doing it the other way is also
# possible, but not reliable - some data might not be replicated.
tasks.clean_replication_agreement(self.master, self.replicas[1])
tasks.uninstall_master(self.replicas[1])
result5 = self.master.run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME])
num_entries = self.noentries_re.search(result5.stdout_text).group(1)
assert(num_entries == "1"), "Incorrect number of entries displayed"
def test_external_ca(self):
# Step 1 of ipa-server-install
self.master.run_command([
'ipa-server-install', '-U', '-a',
self.master.config.admin_password, '-p',
self.master.config.dirman_password, '--setup-dns',
'--no-forwarders', '-n', self.master.domain.name, '-r',
self.master.domain.realm,
'--domain-level=%i' % self.master.config.domain_level,
'--external-ca'
])
test_dir = self.master.config.test_dir
# Get IPA CSR as bytes
ipa_csr = self.master.get_file_contents('/root/ipa.csr')
external_ca = ExternalCA()
# Create root CA
root_ca = external_ca.create_ca()
# Sign CSR
ipa_ca = external_ca.sign_csr(ipa_csr)
root_ca_fname = os.path.join(test_dir, 'root_ca.crt')
ipa_ca_fname = os.path.join(test_dir, 'ipa_ca.crt')
# Transport certificates (string > file) to master
self.master.put_file_contents(root_ca_fname, root_ca)
self.master.put_file_contents(ipa_ca_fname, ipa_ca)
# Step 2 of ipa-server-install
self.master.run_command([
'ipa-server-install', '-a', self.master.config.admin_password,
'-p', self.master.config.dirman_password, '--external-cert-file',
ipa_ca_fname, '--external-cert-file', root_ca_fname
])
# Make sure IPA server is working properly
tasks.kinit_admin(self.master)
result = self.master.run_command(['ipa', 'user-show', 'admin'])
assert 'User login: admin' in result.stdout_text
def test_adtrust_system_records(self):
""" Test ADTrust dns records with firstly installing a trust then
removing the records and using the nsupdate generated by
dns-update-system-records."""
self.master.run_command(['ipa-adtrust-install', '-U',
'--enable-compat', '--netbios-name', 'IPA',
'-a', self.master.config.admin_password,
'--add-sids'])
# lets re-kinit after adtrust-install and restart named
tasks.kinit_admin(self.master)
tasks.restart_named(self.master)
time.sleep(5)
self.delete_update_system_records(rnames=(r[0] for r in
IPA_DEFAULT_ADTRUST_SRV_REC))
expected_servers = (
(self.PRIO_HIGH, self.WEIGHT, DNSName(self.master.hostname)),
)
for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip):
self._test_SRV_rec_against_server(
ip, self.domain, expected_servers,
rec_list=IPA_DEFAULT_ADTRUST_SRV_REC)
def install(cls, mh):
super(TestUserPermissions, cls).install(mh)
tasks.kinit_admin(cls.master)
# Create a new user altadmin
password_confirmation = "%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password)
cls.master.run_command(['ipa', 'user-add', cls.altadmin,
'--first', cls.altadmin,
'--last', cls.altadmin,
'--password'],
stdin_text=password_confirmation)
# Add altadmin to the group cn=admins
cls.master.run_command(['ipa', 'group-add-member', 'admins',
'--users', cls.altadmin])
# kinit as altadmin to initialize the password
altadmin_kinit = "%s\n%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password,
cls.master.config.admin_password)
cls.master.run_command(['kinit', cls.altadmin],
stdin_text=altadmin_kinit)
cls.master.run_command(['kdestroy', '-A'])
def test_http_kdc_proxy_works(self):
result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
assert(result.returncode == 0), (
"Unable to kinit using KdcProxy: %s" % result.stderr_text
)
