def test_check_otpd_after_idle_timeout(self, setup_otp_nsslapd): """Test for OTP when the LDAP connection timed out. Test for : https://pagure.io/freeipa/issue/6587 ipa-otpd was exiting with failure when LDAP connection timed out. Test to verify that when the nsslapd-idletimeout is exceeded (30s idle, 60s sleep) then the ipa-otpd process should exit without error. """ since = time.strftime('%Y-%m-%d %H:%M:%S') tasks.kinit_admin(self.master) otpuid, totp = add_otptoken(self.master, USER, otptype="totp") try: # kinit with OTP auth otpvalue = totp.generate(int(time.time())).decode("ascii") kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue) time.sleep(60) def test_cb(cmd_jornalctl): # check if LDAP connection is timed out expected_msg = "Can't contact LDAP server" return expected_msg in cmd_jornalctl # ipa-otpd don't flush its logs to syslog immediately cmd = ['journalctl', '--since={}'.format(since)] tasks.run_repeatedly(self.master, command=cmd, test=test_cb, timeout=90) failed_services = self.master.run_command( ['systemctl', 'list-units', '--state=failed']) assert "ipa-otpd" not in failed_services.stdout_text finally: del_otptoken(self.master, otpuid)
def add_user_code(host, verification_uri): contents = user_code_script.format(uri=verification_uri, passwd=host.config.admin_password) try: host.put_file_contents("/tmp/add_user_code.py", contents) tasks.run_repeatedly( host, ['python3', '/tmp/add_user_code.py']) finally: host.run_command(["rm", "-f", "/tmp/add_user_code.py"])
def check_sid_generation(cls): command = ['ipa', 'user-show', 'admin', '--all', '--raw'] # TODO: remove duplicate definition and import from common module _sid_identifier_authority = '(0x[0-9a-f]{1,12}|[0-9]{1,10})' sid_regex = 'S-1-5-21-%(idauth)s-%(idauth)s-%(idauth)s'\ % dict(idauth=_sid_identifier_authority) stdout_re = re.escape(' ipaNTSecurityIdentifier: ') + sid_regex tasks.run_repeatedly(cls.master, command, test=lambda x: re.search(stdout_re, x))
def setup_keycloakserver(host, version='17.0.0'): dir = "/opt/keycloak" password = host.config.admin_password tasks.install_packages(host, [ "unzip", "java-11-openjdk-headless", "openssl", "maven", "wget", "firefox", "xorg-x11-server-Xvfb" ]) # add keycloak system user/group and folder url = "https://github.com/keycloak/keycloak/releases/download/{0}/keycloak-{0}.zip".format( version) # noqa: E501 host.run_command(["wget", url, "-O", "{0}-{1}.zip".format(dir, version)]) host.run_command( ["unzip", "{0}-{1}.zip".format(dir, version), "-d", "/opt/"]) host.run_command(["mv", "{0}-{1}".format(dir, version), dir]) host.run_command(["groupadd", "keycloak"]) host.run_command( ["useradd", "-r", "-g", "keycloak", "-d", dir, "keycloak"]) host.run_command(["chown", "-R", "keycloak:", dir]) host.run_command(["chmod", "o+x", "{0}/bin/".format(dir)]) host.run_command(["restorecon", "-R", dir]) # setup TLS certificate using IPA CA host.run_command(["kinit", "-k"]) host.run_command(["ipa", "service-add", "HTTP/{0}".format(host.hostname)]) key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key") crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt") keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store") host.run_command([ "ipa-getcert", "request", "-K", "HTTP/{0}".format(host.hostname), "-D", host.hostname, "-o", "keycloak", "-O", "keycloak", "-m", "0600", "-M", "0644", "-k", key, "-f", crt, "-w" ]) host.run_command([ "keytool", "-import", "-keystore", keystore, "-file", "/etc/ipa/ca.crt", "-alias", "ipa_ca", "-trustcacerts", "-storepass", password, "-noprompt" ]) host.run_command(["chown", "keycloak:keycloak", keystore]) # Setup keycloak service and config files contents = textwrap.dedent(""" KEYCLOAK_ADMIN=admin KEYCLOAK_ADMIN_PASSWORD={admin_pswd} KC_HOSTNAME={host}:8443 KC_HTTPS_CERTIFICATE_FILE={crt} KC_HTTPS_CERTIFICATE_KEY_FILE={key} KC_HTTPS_TRUST_STORE_FILE={store} KC_HTTPS_TRUST_STORE_PASSWORD={store_pswd} KC_HTTP_RELATIVE_PATH=/auth """).format(admin_pswd=password, host=host.hostname, crt=crt, key=key, store=keystore, store_pswd=password) host.put_file_contents("/etc/sysconfig/keycloak", contents) contents = textwrap.dedent(""" [Unit] Description=Keycloak Server After=network.target [Service] Type=idle EnvironmentFile=/etc/sysconfig/keycloak User=keycloak Group=keycloak ExecStart=/opt/keycloak/bin/kc.sh start TimeoutStartSec=600 TimeoutStopSec=600 [Install] WantedBy=multi-user.target """) host.put_file_contents("/etc/systemd/system/keycloak.service", contents) host.run_command(["systemctl", "daemon-reload"]) # Run build stage first env_vars = textwrap.dedent(""" export KEYCLOAK_ADMIN=admin export KC_HOSTNAME={hostname}:8443 export KC_HTTPS_CERTIFICATE_FILE=/etc/pki/tls/certs/keycloak.crt export KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/pki/tls/private/keycloak.key export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.store export KC_HTTPS_TRUST_STORE_PASSWORD={STORE_PASS} export KEYCLOAK_ADMIN_PASSWORD={ADMIN_PASS} export KC_HTTP_RELATIVE_PATH=/auth """).format(hostname=host.hostname, STORE_PASS=password, ADMIN_PASS=password) content = host.get_file_contents('/etc/bashrc', encoding='utf-8') new_content = content + "\n{}".format(env_vars) host.put_file_contents('/etc/bashrc', new_content) host.run_command(['bash']) host.run_command( ['su', '-', 'keycloak', '-c', '/opt/keycloak/bin/kc.sh build']) host.run_command(["systemctl", "start", "keycloak"]) host.run_command(["/opt/keycloak/bin/kc.sh", "show-config"]) # Setup keycloak for use: kcadmin_sh = "/opt/keycloak/bin/kcadm.sh" host.run_command([ kcadmin_sh, "config", "truststore", "--trustpass", password, keystore ]) kcadmin = [ kcadmin_sh, "config", "credentials", "--server", "https://{0}:8443/auth/".format(host.hostname), "--realm", "master", "--user", "admin", "--password", password ] tasks.run_repeatedly(host, kcadmin, timeout=60) host.run_command([ kcadmin_sh, "create", "users", "-r", "master", "-s", "username=testuser1", "-s", "enabled=true", "-s", "[email protected]" ]) host.run_command([ kcadmin_sh, "set-password", "-r", "master", "--username", "testuser1", "--new-password", password ])