IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-25 16:31:08 -06:00
Code Issues Packages Projects Releases Wiki Activity
939ee59c27
freeipa/ipatests/test_integration/test_commands.py

922 lines
36 KiB
Python
Raw Normal View History

Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
#
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
#
"""Misc test for 'ipa' CLI regressions
"""
from __future__ import absolute_import
import base64
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
import re
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
import os
import logging
Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd on master for performance enhancement ssh from ipa client was failing Test Procedure: 1. setup a master 2. add ldap_deref_threshold=0 to sssd.conf on master 3. add an ipa user 4. ssh from controller to master using the user created in step 3 Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-24 04:55:35 -05:00
import random
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
import ssl
tests: sssd_ssh fd leaks when user cert converted into SSH key https://pagure.io/freeipa/issue/7687 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-08-23 03:34:39 -05:00
from itertools import chain, repeat
Rename test class for testing simple commands, add test The concensus in the review was that the name test_commands was more generic than test_ipa_cli. Add a test to change the password for sysaccount users using using ldappasswd to confirm that a segfault fix does not regress. https://pagure.io/freeipa/issue/7561 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 09:16:24 -05:00
import textwrap
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
import time
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
import paramiko
import pytest
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
Fix writing certificate chain to file An client-side error occurs when cert commands are instructed to write the certificate chain (--chain option) to a file (--certificate-out option). This regression was introduced in the 'cert' plugin in commit 5a44ca638310913ab6b0c239374f4b0ddeeedeb3, and reflected in the 'ca' plugin in commit c7064494e5801d5fd4670e6aab1e07c65d7a0731. The server behaviour did not change; rather the client did not correctly handle the DER-encoded certificates in the 'certificate_chain' response field. Fix the issue by treating the 'certificate' field as base-64 encoded DER, and the 'certificate_chain' field as an array of raw DER certificates. Add tests for checking that the relevant commands succeed and write PEM data to the file (both with and without --chain). Fixes: https://pagure.io/freeipa/issue/7700 Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-27 01:36:59 -05:00
from cryptography.hazmat.backends import default_backend
from cryptography import x509
Allow ipaapi user to access SSSD's info pipe For smart card authentication, ipaapi must be able to access to sss-ifp. During installation and upgrade, the ipaapi user is now added to [ifp]allowed_uids. The commit also fixes two related issues: * The server upgrade code now enables ifp service in sssd.conf. The existing code modified sssd.conf but never wrote the changes to disk. * sssd_enable_service() no longer fails after it has detected an unrecognized service. Fixes: https://pagure.io/freeipa/issue/7751 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-06 06:57:14 -06:00
from ipalib.constants import IPAAPI_USER
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
from ipaplatform.paths import paths
Consider configured servers as valid Under some conditions, ipa config-show and several other commands were failing with error message: ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled Amongst others the issue can be caused by a broken installation, when some services are left in state 'configuredServices'. The problem even block uninstallation or removal of replicas. Now configured servers are also consider valid providers for associated roles. A new test verifies that config-show works with hidden and configured HTTP service. Remark: The original intent of the sanity check is no longer clear to me. I think it was used to very that all services can be started by ipactl. Since ipactl starts hidden, configured, and enabled services, the new logic reflect the fact, too. Fixes: https://pagure.io/freeipa/issue/7929 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-29 04:12:30 -05:00
from ipapython.dn import DN
Add tests for ipa-cacert-manage delete command This tests the following cases: - deletion without nickname (expect fail) - deletion with an unknown nickname (expect fail) - deletion of IPA CA (expect fail) - deletion of a root CA needed by a subCA (expect fail) - deletion of a root CA needed by a subCA with --force (ok) - deletion of a subca (ok) As a side-effect this also tests install by installing the LE root and a sub-ca. The sub-ca expires in 2021 but I tested in the future the ipa-cacert-manage install doesn't do date validation so for now this is ok. https://pagure.io/freeipa/issue/8124 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-27 16:34:48 -06:00
from ipapython.certdb import get_ca_nickname
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
from ipatests.test_integration.base import IntegrationTest
Rename pytest_plugins to ipatests.pytest_ipa pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string "pytest_plugins" is used as marker to load plugins. By populare vote and to avoid future conflicts, we decided to rename the directory to pytest_ipa. Fixes: https://pagure.io/freeipa/issue/7663 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-08-02 06:45:19 -05:00
from ipatests.pytest_ipa.integration import tasks
Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd on master for performance enhancement ssh from ipa client was failing Test Procedure: 1. setup a master 2. add ldap_deref_threshold=0 to sssd.conf on master 3. add an ipa user 4. ssh from controller to master using the user created in step 3 Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-24 04:55:35 -05:00
from ipaplatform.tasks import tasks as platform_tasks
tests: sssd_ssh fd leaks when user cert converted into SSH key https://pagure.io/freeipa/issue/7687 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-08-23 03:34:39 -05:00
from ipatests.create_external_ca import ExternalCA
Add tests for ipa-cacert-manage install Some basic tests like re-loading a certificate, loading a PKCS#7 cert and bad cert handling. Signed-off-by: Rob Crittenden <rcritten@redhat.com> https://pagure.io/freeipa/issue/7579 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-17 17:12:52 -05:00
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
logger = logging.getLogger(__name__)
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
Replace imports from ipaserver The ipatests/test_integration/ package only uses ipaserver in a few places. Copy some simple constants to decouple the packages. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-15 06:38:50 -05:00
# from ipaserver.masters
CONFIGURED_SERVICE = u'configuredService'
ENABLED_SERVICE = u'enabledService'
HIDDEN_SERVICE = u'hiddenService'
Add tests for ipa-cacert-manage delete command This tests the following cases: - deletion without nickname (expect fail) - deletion with an unknown nickname (expect fail) - deletion of IPA CA (expect fail) - deletion of a root CA needed by a subCA (expect fail) - deletion of a root CA needed by a subCA with --force (ok) - deletion of a subca (ok) As a side-effect this also tests install by installing the LE root and a sub-ca. The sub-ca expires in 2021 but I tested in the future the ipa-cacert-manage install doesn't do date validation so for now this is ok. https://pagure.io/freeipa/issue/8124 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-27 16:34:48 -06:00
isrgrootx1 = (
b'-----BEGIN CERTIFICATE-----\n'
b'MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n'
b'TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n'
b'cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n'
b'WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n'
b'ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n'
b'MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n'
b'h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n'
b'0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n'
b'A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n'
b'T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n'
b'B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n'
b'B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n'
b'KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n'
b'OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n'
b'jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n'
b'qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n'
b'rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n'
b'HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n'
b'hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n'
b'ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n'
b'3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n'
b'NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n'
b'ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n'
b'TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n'
b'jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n'
b'oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n'
b'4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n'
b'mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n'
b'emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n'
b'-----END CERTIFICATE-----\n'
)
isrgrootx1_nick = 'CN=ISRG Root X1,O=Internet Security Research Group,C=US'
# This sub-CA expires on Oct 6, 2021 but it is functional for our
# purposes of testing, the date validity is not considered (yet).
letsencryptauthorityx3 = (
b'-----BEGIN CERTIFICATE-----\n'
b'MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw\n'
b'TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n'
b'cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1\n'
b'WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n'
b'RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi\n'
b'MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX\n'
b'NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf\n'
b'89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl\n'
b'Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc\n'
b'Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz\n'
b'uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB\n'
b'AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU\n'
b'BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB\n'
b'FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo\n'
b'SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js\n'
b'LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF\n'
b'BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG\n'
b'AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD\n'
b'VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB\n'
b'ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx\n'
b'A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM\n'
b'UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2\n'
b'DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1\n'
b'eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu\n'
b'OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw\n'
b'p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY\n'
b'2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0\n'
b'ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR\n'
b'PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b\n'
b'rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt\n'
b'-----END CERTIFICATE-----\n'
)
le_x3_nick = "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US"
Allow ipaapi user to access SSSD's info pipe For smart card authentication, ipaapi must be able to access to sss-ifp. During installation and upgrade, the ipaapi user is now added to [ifp]allowed_uids. The commit also fixes two related issues: * The server upgrade code now enables ifp service in sssd.conf. The existing code modified sssd.conf but never wrote the changes to disk. * sssd_enable_service() no longer fails after it has detected an unrecognized service. Fixes: https://pagure.io/freeipa/issue/7751 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-06 06:57:14 -06:00
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
class TestIPACommand(IntegrationTest):
Rename test class for testing simple commands, add test The concensus in the review was that the name test_commands was more generic than test_ipa_cli. Add a test to change the password for sysaccount users using using ldappasswd to confirm that a segfault fix does not regress. https://pagure.io/freeipa/issue/7561 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 09:16:24 -05:00
"""
A lot of commands can be executed against a single IPA installation
so provide a generic class to execute one-off commands that need to be
tested without having to fire up a full server to run one command.
"""
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
topology = 'line'
def get_cert_base64(self, host, path):
"""Retrieve cert and return content as single line, base64 encoded
"""
cacrt = host.get_file_contents(path, encoding='ascii')
cader = ssl.PEM_cert_to_DER_cert(cacrt)
return base64.b64encode(cader).decode('ascii')
def test_certmap_match_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'certmap-match', paths.IPA_CA_CRT],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'certmap-match', '--certificate', cab64],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
def test_cert_find_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
subject = 'CN=Certificate Authority,O={}'.format(
self.master.domain.realm)
# by cert file
result = self.master.run_command(
['ipa', 'cert-find', '--file', paths.IPA_CA_CRT]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
# by base64 cert
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'cert-find', '--certificate', cab64]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
Reproducer for issue 5923 (bytes in error response) Error response used to contain bytes instead of text, which triggered an exception. See: https://pagure.io/freeipa/issue/5923 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-24 08:38:33 -05:00
def test_add_permission_failure_issue5923(self):
# https://pagure.io/freeipa/issue/5923
# error response used to contain bytes instead of text
tasks.kinit_admin(self.master)
# neither privilege nor permission exists
result = self.master.run_command(
["ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"],
raiseonerr=False
)
assert result.returncode == 2
pylint: Synchronize pylint plugin to ipatests code Pylint is a static analysis tool and therefore, couldn't always analyze dynamic stuff properly. Transformation plugins is a way to teach Pylint how to handle such cases. Particularly, with the help of FreeIPA own plugin, it is possible to tell Pylint about instance fields having a duck-typing nature. A drawback exposed here is that a static view (Pylint's) of code should be consistent with an actual one, otherwise, codebase will be polluted with various skips of pylint checks. * added missing fields to ipatests.test_integration.base.IntegrationTest * an attempt is made to clear `no-member` skips for ipatests * removed no longer needed `pytest` module transformation Related: https://pagure.io/freeipa/issue/8116 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-28 03:26:22 -06:00
err = result.stderr_text.strip()
Reproducer for issue 5923 (bytes in error response) Error response used to contain bytes instead of text, which triggered an exception. See: https://pagure.io/freeipa/issue/5923 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-24 08:38:33 -05:00
assert err == "ipa: ERROR: loc: privilege not found"
# add privilege
result = self.master.run_command(
["ipa", "privilege-add", "loc"],
)
assert 'Added privilege "loc"' in result.stdout_text
# permission is still missing
result = self.master.run_command(
["ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"],
raiseonerr=False
)
assert result.returncode == 1
assert "Number of permissions added 0" in result.stdout_text
Rename test class for testing simple commands, add test The concensus in the review was that the name test_commands was more generic than test_ipa_cli. Add a test to change the password for sysaccount users using using ldappasswd to confirm that a segfault fix does not regress. https://pagure.io/freeipa/issue/7561 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 09:16:24 -05:00
def test_change_sysaccount_password_issue7561(self):
sysuser = 'system'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
master = self.master
pylint: Synchronize pylint plugin to ipatests code Pylint is a static analysis tool and therefore, couldn't always analyze dynamic stuff properly. Transformation plugins is a way to teach Pylint how to handle such cases. Particularly, with the help of FreeIPA own plugin, it is possible to tell Pylint about instance fields having a duck-typing nature. A drawback exposed here is that a static view (Pylint's) of code should be consistent with an actual one, otherwise, codebase will be polluted with various skips of pylint checks. * added missing fields to ipatests.test_integration.base.IntegrationTest * an attempt is made to clear `no-member` skips for ipatests * removed no longer needed `pytest` module transformation Related: https://pagure.io/freeipa/issue/8116 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-28 03:26:22 -06:00
base_dn = str(master.domain.basedn)
Rename test class for testing simple commands, add test The concensus in the review was that the name test_commands was more generic than test_ipa_cli. Add a test to change the password for sysaccount users using using ldappasswd to confirm that a segfault fix does not regress. https://pagure.io/freeipa/issue/7561 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 09:16:24 -05:00
entry_ldif = textwrap.dedent("""
dn: uid=system,cn=sysaccounts,cn=etc,{base_dn}
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: {original_passwd}
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
""").format(
base_dn=base_dn,
original_passwd=original_passwd)
Add ldapmodify/search helper functions Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper functions. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-03 13:56:39 -06:00
tasks.ldapmodify_dm(master, entry_ldif)
Rename test class for testing simple commands, add test The concensus in the review was that the name test_commands was more generic than test_ipa_cli. Add a test to change the password for sysaccount users using using ldappasswd to confirm that a segfault fix does not regress. https://pagure.io/freeipa/issue/7561 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 09:16:24 -05:00
tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
new_passwd, master)
Use replace instead of add to set new default ipaSELinuxUserMapOrder The add was in effect replacing whatever data was already there causing any custom order to be lost on each run of ipa-server-upgrade. https://pagure.io/freeipa/issue/6610 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-01 14:19:35 -05:00
Add ldapmodify/search helper functions Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper functions. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-03 13:56:39 -06:00
def get_krbinfo(self, user):
pylint: Synchronize pylint plugin to ipatests code Pylint is a static analysis tool and therefore, couldn't always analyze dynamic stuff properly. Transformation plugins is a way to teach Pylint how to handle such cases. Particularly, with the help of FreeIPA own plugin, it is possible to tell Pylint about instance fields having a duck-typing nature. A drawback exposed here is that a static view (Pylint's) of code should be consistent with an actual one, otherwise, codebase will be polluted with various skips of pylint checks. * added missing fields to ipatests.test_integration.base.IntegrationTest * an attempt is made to clear `no-member` skips for ipatests * removed no longer needed `pytest` module transformation Related: https://pagure.io/freeipa/issue/8116 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-28 03:26:22 -06:00
base_dn = str(self.master.domain.basedn)
Add ldapmodify/search helper functions Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper functions. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-03 13:56:39 -06:00
result = tasks.ldapsearch_dm(
self.master,
'uid={user},cn=users,cn=accounts,{base_dn}'.format(
user=user, base_dn=base_dn),
['krblastpwdchange', 'krbpasswordexpiration'],
scope='base'
)
output = result.stdout_text.lower()
# extract krblastpwdchange and krbpasswordexpiration
krbchg_pattern = 'krblastpwdchange: (.+)\n'
krbexp_pattern = 'krbpasswordexpiration: (.+)\n'
krblastpwdchange = re.findall(krbchg_pattern, output)[0]
krbexp = re.findall(krbexp_pattern, output)[0]
return krblastpwdchange, krbexp
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
def test_ldapmodify_password_issue7601(self):
user = 'ipauser'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
new_passwd2 = 'mynewPwd123'
master = self.master
pylint: Synchronize pylint plugin to ipatests code Pylint is a static analysis tool and therefore, couldn't always analyze dynamic stuff properly. Transformation plugins is a way to teach Pylint how to handle such cases. Particularly, with the help of FreeIPA own plugin, it is possible to tell Pylint about instance fields having a duck-typing nature. A drawback exposed here is that a static view (Pylint's) of code should be consistent with an actual one, otherwise, codebase will be polluted with various skips of pylint checks. * added missing fields to ipatests.test_integration.base.IntegrationTest * an attempt is made to clear `no-member` skips for ipatests * removed no longer needed `pytest` module transformation Related: https://pagure.io/freeipa/issue/8116 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-28 03:26:22 -06:00
base_dn = str(master.domain.basedn)
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
# Create a user with a password
tasks.kinit_admin(master)
add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd)
master.run_command(['ipa', 'user-add', user,
'--first', user,
'--last', user,
'--password'],
stdin_text=add_password_stdin_text)
# kinit as that user in order to modify the pwd
user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format(
old=original_passwd,
new=original_passwd)
master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
# Retrieve krblastpwdchange and krbpasswordexpiration
Add ldapmodify/search helper functions Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper functions. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-03 13:56:39 -06:00
krblastpwdchange, krbexp = self.get_krbinfo(user)
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
# sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
# a 1s precision)
time.sleep(1)
# perform ldapmodify on userpassword as dir mgr
entry_ldif = textwrap.dedent("""
dn: uid={user},cn=users,cn=accounts,{base_dn}
changetype: modify
replace: userpassword
userpassword: {new_passwd}
""").format(
user=user,
base_dn=base_dn,
new_passwd=new_passwd)
Add ldapmodify/search helper functions Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper functions. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-03 13:56:39 -06:00
tasks.ldapmodify_dm(master, entry_ldif)
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd)
# both should have changed
Add ldapmodify/search helper functions Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper functions. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-03 13:56:39 -06:00
newkrblastpwdchange, newkrbexp = self.get_krbinfo(user)
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
assert newkrblastpwdchange != krblastpwdchange
assert newkrbexp != krbexp
# Now test passwd modif with ldappasswd
time.sleep(1)
master.run_command([
paths.LDAPPASSWD,
pylint: Synchronize pylint plugin to ipatests code Pylint is a static analysis tool and therefore, couldn't always analyze dynamic stuff properly. Transformation plugins is a way to teach Pylint how to handle such cases. Particularly, with the help of FreeIPA own plugin, it is possible to tell Pylint about instance fields having a duck-typing nature. A drawback exposed here is that a static view (Pylint's) of code should be consistent with an actual one, otherwise, codebase will be polluted with various skips of pylint checks. * added missing fields to ipatests.test_integration.base.IntegrationTest * an attempt is made to clear `no-member` skips for ipatests * removed no longer needed `pytest` module transformation Related: https://pagure.io/freeipa/issue/8116 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-28 03:26:22 -06:00
'-D', str(master.config.dirman_dn),
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
'-w', master.config.dirman_password,
'-a', new_passwd,
'-s', new_passwd2,
'-x', '-ZZ',
'-H', 'ldap://{hostname}'.format(hostname=master.hostname),
'uid={user},cn=users,cn=accounts,{base_dn}'.format(
user=user, base_dn=base_dn)]
)
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd2)
# both should have changed
Add ldapmodify/search helper functions Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper functions. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-03 13:56:39 -06:00
newkrblastpwdchange2, newkrbexp2 = self.get_krbinfo(user)
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
assert newkrblastpwdchange != newkrblastpwdchange2
assert newkrbexp != newkrbexp2
Use replace instead of add to set new default ipaSELinuxUserMapOrder The add was in effect replacing whatever data was already there causing any custom order to be lost on each run of ipa-server-upgrade. https://pagure.io/freeipa/issue/6610 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-01 14:19:35 -05:00
def test_change_selinuxusermaporder(self):
"""
An update file meant to ensure a more sane default was
overriding any customization done to the order.
"""
maporder = "unconfined_u:s0-s0:c0.c1023"
# set a new default
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
tasks.kinit_admin(self.master)
Use replace instead of add to set new default ipaSELinuxUserMapOrder The add was in effect replacing whatever data was already there causing any custom order to be lost on each run of ipa-server-upgrade. https://pagure.io/freeipa/issue/6610 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-01 14:19:35 -05:00
result = self.master.run_command(
["ipa", "config-mod",
"--ipaselinuxusermaporder={}".format(maporder)],
raiseonerr=False
)
assert result.returncode == 0
# apply the update
result = self.master.run_command(
["ipa-server-upgrade"],
raiseonerr=False
)
assert result.returncode == 0
# ensure result is the same
result = self.master.run_command(
["ipa", "config-show"],
raiseonerr=False
)
assert result.returncode == 0
assert "SELinux user map order: {}".format(
maporder) in result.stdout_text
Fix ipa console filename THe ipa console command takes an optional filename argument. The filename argument was broken, because the implementation passed a file object to exec() instead of a string or compiled object. ipa console now uses compile() to compile the code with print_function __future__ feature. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-12 07:50:40 -05:00
def test_ipa_console(self):
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
tasks.kinit_admin(self.master)
Fix ipa console filename THe ipa console command takes an optional filename argument. The filename argument was broken, because the implementation passed a file object to exec() instead of a string or compiled object. ipa console now uses compile() to compile the code with print_function __future__ feature. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-12 07:50:40 -05:00
result = self.master.run_command(
["ipa", "console"],
stdin_text="api.env"
)
assert "ipalib.config.Env" in result.stdout_text
filename = tasks.upload_temp_contents(
self.master,
"print(api.env)\n"
)
result = self.master.run_command(
["ipa", "console", filename],
)
assert "ipalib.config.Env" in result.stdout_text
Fix regression: Handle unicode where str is expected Regression caused by 947ac4bc1f6f4016cf5baf2ecb4577e893bc3948 when trying to fix a similar issue for clients running Python 3. However, that fix broke Python 2 clients. Issue: https://pagure.io/freeipa/issue/7626 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-17 14:08:49 -05:00
def test_list_help_topics(self):
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
tasks.kinit_admin(self.master)
Fix regression: Handle unicode where str is expected Regression caused by 947ac4bc1f6f4016cf5baf2ecb4577e893bc3948 when trying to fix a similar issue for clients running Python 3. However, that fix broke Python 2 clients. Issue: https://pagure.io/freeipa/issue/7626 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-17 14:08:49 -05:00
result = self.master.run_command(
["ipa", "help", "topics"],
raiseonerr=False
)
assert result.returncode == 0
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
def test_ssh_key_connection(self, tmpdir):
"""
Integration test for https://pagure.io/SSSD/sssd/issue/3747
"""
Skip paramiko tests in FIPS mode Paramiko is not compatible with FIPS mode. It uses MD5 on the client side and does not support rsa-sha2 connections for RSA auth. See: https://pagure.io/freeipa/issue/8129 Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2019-11-28 10:22:02 -06:00
if self.master.is_fips_mode: # pylint: disable=no-member
pytest.skip("paramiko is not compatible with FIPS mode")
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
test_user = 'test-ssh'
ipatests: fix host name for ssh connection from controller to master Use master.external_hostname instead of master.hostname for ssh connection from controller machine to master. If hostname and external_hostname in test_config.yml do no match then trying to establish ssh connection was failing with "[Errno -2] Name or service not known". Fixes https://pagure.io/freeipa/issue/7874 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-01 11:16:56 -06:00
external_master_hostname = \
pylint: Synchronize pylint plugin to ipatests code Pylint is a static analysis tool and therefore, couldn't always analyze dynamic stuff properly. Transformation plugins is a way to teach Pylint how to handle such cases. Particularly, with the help of FreeIPA own plugin, it is possible to tell Pylint about instance fields having a duck-typing nature. A drawback exposed here is that a static view (Pylint's) of code should be consistent with an actual one, otherwise, codebase will be polluted with various skips of pylint checks. * added missing fields to ipatests.test_integration.base.IntegrationTest * an attempt is made to clear `no-member` skips for ipatests * removed no longer needed `pytest` module transformation Related: https://pagure.io/freeipa/issue/8116 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-28 03:26:22 -06:00
self.master.external_hostname
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
pub_keys = []
for i in range(40):
ssh_key_pair = tasks.generate_ssh_keypair()
pub_keys.append(ssh_key_pair[1])
with open(os.path.join(
tmpdir, 'ssh_priv_{}'.format(i)), 'w') as fp:
fp.write(ssh_key_pair[0])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-add', test_user,
'--first=tester', '--last=tester'])
keys_opts = ' '.join(['--ssh "{}"'.format(k) for k in pub_keys])
cmd = 'ipa user-mod {} {}'.format(test_user, keys_opts)
self.master.run_command(cmd)
# connect with first SSH key
first_priv_key_path = os.path.join(tmpdir, 'ssh_priv_1')
# change private key permission to comply with SS rules
os.chmod(first_priv_key_path, 0o600)
sshcon = paramiko.SSHClient()
sshcon.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# first connection attempt is a workaround for
# https://pagure.io/SSSD/sssd/issue/3669
try:
ipatests: fix host name for ssh connection from controller to master Use master.external_hostname instead of master.hostname for ssh connection from controller machine to master. If hostname and external_hostname in test_config.yml do no match then trying to establish ssh connection was failing with "[Errno -2] Name or service not known". Fixes https://pagure.io/freeipa/issue/7874 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-01 11:16:56 -06:00
sshcon.connect(external_master_hostname, username=test_user,
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
key_filename=first_priv_key_path, timeout=1)
except (paramiko.AuthenticationException, paramiko.SSHException):
pass
try:
ipatests: fix host name for ssh connection from controller to master Use master.external_hostname instead of master.hostname for ssh connection from controller machine to master. If hostname and external_hostname in test_config.yml do no match then trying to establish ssh connection was failing with "[Errno -2] Name or service not known". Fixes https://pagure.io/freeipa/issue/7874 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-01 11:16:56 -06:00
sshcon.connect(external_master_hostname, username=test_user,
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
key_filename=first_priv_key_path, timeout=1)
except (paramiko.AuthenticationException,
paramiko.SSHException) as e:
pytest.fail('Authentication using SSH key not successful', e)
journal_cmd = ['journalctl', '--since=today', '-u', 'sshd']
result = self.master.run_command(journal_cmd)
output = result.stdout_text
assert not re.search('exited on signal 13', output)
# cleanup
self.master.run_command(['ipa', 'user-del', test_user])
tests: sssd_ssh fd leaks when user cert converted into SSH key https://pagure.io/freeipa/issue/7687 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-08-23 03:34:39 -05:00
def test_ssh_leak(self):
"""
Integration test for https://pagure.io/SSSD/sssd/issue/3794
"""
def count_pipes():
res = self.master.run_command(['pidof', 'sssd_ssh'])
pid = res.stdout_text.strip()
proc_path = '/proc/{}/fd'.format(pid)
res = self.master.run_command(['ls', '-la', proc_path])
fds_text = res.stdout_text.strip()
return sum((1 for _ in re.finditer(r'pipe', fds_text)))
test_user = 'test-ssh'
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-add', test_user,
'--first=tester', '--last=tester'])
certs = []
# we are ok with whatever certificate for this test
external_ca = ExternalCA()
for _dummy in range(3):
cert = external_ca.create_ca()
cert = tasks.strip_cert_header(cert.decode('utf-8'))
certs.append('"{}"'.format(cert))
cert_args = list(
chain.from_iterable(list(zip(repeat('--certificate'), certs))))
cmd = 'ipa user-add-cert {} {}'.format(test_user, ' '.join(cert_args))
self.master.run_command(cmd)
tasks.clear_sssd_cache(self.master)
num_of_pipes = count_pipes()
for _dummy in range(3):
self.master.run_command([paths.SSS_SSH_AUTHORIZEDKEYS, test_user])
current_num_of_pipes = count_pipes()
assert current_num_of_pipes == num_of_pipes
# cleanup
self.master.run_command(['ipa', 'user-del', test_user])
Fix writing certificate chain to file An client-side error occurs when cert commands are instructed to write the certificate chain (--chain option) to a file (--certificate-out option). This regression was introduced in the 'cert' plugin in commit 5a44ca638310913ab6b0c239374f4b0ddeeedeb3, and reflected in the 'ca' plugin in commit c7064494e5801d5fd4670e6aab1e07c65d7a0731. The server behaviour did not change; rather the client did not correctly handle the DER-encoded certificates in the 'certificate_chain' response field. Fix the issue by treating the 'certificate' field as base-64 encoded DER, and the 'certificate_chain' field as an array of raw DER certificates. Add tests for checking that the relevant commands succeed and write PEM data to the file (both with and without --chain). Fixes: https://pagure.io/freeipa/issue/7700 Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-27 01:36:59 -05:00
def test_certificate_out_write_to_file(self):
# commands to test; name of temporary file will be appended
commands = [
['ipa', 'cert-show', '1', '--certificate-out'],
['ipa', 'cert-show', '1', '--chain', '--certificate-out'],
['ipa', 'ca-show', 'ipa', '--certificate-out'],
['ipa', 'ca-show', 'ipa', '--chain', '--certificate-out'],
]
for command in commands:
cmd = self.master.run_command(['mktemp'])
filename = cmd.stdout_text.strip()
self.master.run_command(command + [filename])
# Check that a PEM file was written. If --chain was
# used, load_pem_x509_certificate will return the
# first certificate, which is fine for this test.
data = self.master.get_file_contents(filename)
x509.load_pem_x509_certificate(data, backend=default_backend())
self.master.run_command(['rm', '-f', filename])
Allow ipaapi user to access SSSD's info pipe For smart card authentication, ipaapi must be able to access to sss-ifp. During installation and upgrade, the ipaapi user is now added to [ifp]allowed_uids. The commit also fixes two related issues: * The server upgrade code now enables ifp service in sssd.conf. The existing code modified sssd.conf but never wrote the changes to disk. * sssd_enable_service() no longer fails after it has detected an unrecognized service. Fixes: https://pagure.io/freeipa/issue/7751 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-06 06:57:14 -06:00
def test_sssd_ifp_access_ipaapi(self):
# check that ipaapi is allowed to access sssd-ifp for smartcard auth
# https://pagure.io/freeipa/issue/7751
username = 'admin'
# get UID for user
result = self.master.run_command(['ipa', 'user-show', username])
mo = re.search(r'UID: (\d+)', result.stdout_text)
assert mo is not None, result.stdout_text
uid = mo.group(1)
cmd = [
'dbus-send',
'--print-reply', '--system',
'--dest=org.freedesktop.sssd.infopipe',
'/org/freedesktop/sssd/infopipe/Users',
'org.freedesktop.sssd.infopipe.Users.FindByName',
'string:{}'.format(username)
]
# test IFP as root
result = self.master.run_command(cmd)
assert uid in result.stdout_text
# test IFP as ipaapi
result = self.master.run_command(
['sudo', '-u', IPAAPI_USER, '--'] + cmd
)
assert uid in result.stdout_text
Add tests for ipa-cacert-manage install Some basic tests like re-loading a certificate, loading a PKCS#7 cert and bad cert handling. Signed-off-by: Rob Crittenden <rcritten@redhat.com> https://pagure.io/freeipa/issue/7579 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-17 17:12:52 -05:00
def test_ipa_cacert_manage_install(self):
# Re-install the IPA CA
self.master.run_command([
paths.IPA_CACERT_MANAGE,
'install',
paths.IPA_CA_CRT])
# Test a non-existent file
result = self.master.run_command([
paths.IPA_CACERT_MANAGE,
'install',
'/var/run/cert_not_found'], raiseonerr=False)
assert result.returncode == 1
cmd = self.master.run_command(['mktemp'])
filename = cmd.stdout_text.strip()
for contents in (good_pkcs7,):
self.master.put_file_contents(filename, contents)
result = self.master.run_command([
paths.IPA_CACERT_MANAGE,
'install',
filename])
for contents in (badcert,):
self.master.put_file_contents(filename, contents)
result = self.master.run_command([
paths.IPA_CACERT_MANAGE,
'install',
filename], raiseonerr=False)
assert result.returncode == 1
self.master.run_command(['rm', '-f', filename])
Create systemd-user HBAC service and rule authselect changed pam_systemd session from optional to required. When the HBAC rule allow_all is disabled and replaced with more fine grained rules, loginsi now to fail, because systemd's user@.service is able to create a systemd session. Add systemd-user HBAC service and a HBAC rule that allows systemd-user to run on all hosts for all users by default. ipa-server-upgrade creates the service and rule, too. In case the service already exists, no attempt is made to create the rule. This allows admins to delete the rule permanently. See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928 Fixes: https://pagure.io/freeipa/issue/7831 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-11 04:18:05 -06:00
def test_hbac_systemd_user(self):
# https://pagure.io/freeipa/issue/7831
tasks.kinit_admin(self.master)
# check for presence
self.master.run_command(
['ipa', 'hbacsvc-show', 'systemd-user']
)
Fix systemd-user HBAC rule 2ef6e14c5a87724a3b37dd5f0817af48c4411e03 added an invalid HBAC rule that encoded the service wrongly. See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928 Fixes: https://pagure.io/freeipa/issue/7831 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-15 10:33:56 -06:00
result = self.master.run_command(
['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
)
lines = set(l.strip() for l in result.stdout_text.split('\n'))
assert 'User category: all' in lines
assert 'Host category: all' in lines
assert 'Enabled: TRUE' in lines
assert 'Services: systemd-user' in lines
assert 'accessruletype: allow' in lines
Create systemd-user HBAC service and rule authselect changed pam_systemd session from optional to required. When the HBAC rule allow_all is disabled and replaced with more fine grained rules, loginsi now to fail, because systemd's user@.service is able to create a systemd session. Add systemd-user HBAC service and a HBAC rule that allows systemd-user to run on all hosts for all users by default. ipa-server-upgrade creates the service and rule, too. In case the service already exists, no attempt is made to create the rule. This allows admins to delete the rule permanently. See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928 Fixes: https://pagure.io/freeipa/issue/7831 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-11 04:18:05 -06:00
# delete both
self.master.run_command(
['ipa', 'hbacrule-del', 'allow_systemd-user']
)
self.master.run_command(
['ipa', 'hbacsvc-del', 'systemd-user']
)
# run upgrade
result = self.master.run_command(['ipa-server-upgrade'])
assert 'Created hbacsvc systemd-user' in result.stderr_text
assert 'Created hbac rule allow_systemd-user' in result.stderr_text
# check for presence
result = self.master.run_command(
['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
)
lines = set(l.strip() for l in result.stdout_text.split('\n'))
assert 'User category: all' in lines
assert 'Host category: all' in lines
assert 'Enabled: TRUE' in lines
assert 'Services: systemd-user' in lines
assert 'accessruletype: allow' in lines
self.master.run_command(
['ipa', 'hbacsvc-show', 'systemd-user']
)
# only delete rule
self.master.run_command(
['ipa', 'hbacrule-del', 'allow_systemd-user']
)
# run upgrade
result = self.master.run_command(['ipa-server-upgrade'])
assert (
'hbac service systemd-user already exists' in result.stderr_text
)
assert (
'Created hbac rule allow_systemd-user' not in result.stderr_text
)
result = self.master.run_command(
['ipa', 'hbacrule-show', 'allow_systemd-user'],
raiseonerr=False
)
assert result.returncode != 0
assert 'HBAC rule not found' in result.stderr_text
Consider configured servers as valid Under some conditions, ipa config-show and several other commands were failing with error message: ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled Amongst others the issue can be caused by a broken installation, when some services are left in state 'configuredServices'. The problem even block uninstallation or removal of replicas. Now configured servers are also consider valid providers for associated roles. A new test verifies that config-show works with hidden and configured HTTP service. Remark: The original intent of the sanity check is no longer clear to me. I think it was used to very that all services can be started by ipactl. Since ipactl starts hidden, configured, and enabled services, the new logic reflect the fact, too. Fixes: https://pagure.io/freeipa/issue/7929 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-29 04:12:30 -05:00
def test_config_show_configured_services(self):
# https://pagure.io/freeipa/issue/7929
states = {CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE}
dn = DN(
('cn', 'HTTP'), ('cn', self.master.hostname), ('cn', 'masters'),
('cn', 'ipa'), ('cn', 'etc'),
pylint: Synchronize pylint plugin to ipatests code Pylint is a static analysis tool and therefore, couldn't always analyze dynamic stuff properly. Transformation plugins is a way to teach Pylint how to handle such cases. Particularly, with the help of FreeIPA own plugin, it is possible to tell Pylint about instance fields having a duck-typing nature. A drawback exposed here is that a static view (Pylint's) of code should be consistent with an actual one, otherwise, codebase will be polluted with various skips of pylint checks. * added missing fields to ipatests.test_integration.base.IntegrationTest * an attempt is made to clear `no-member` skips for ipatests * removed no longer needed `pytest` module transformation Related: https://pagure.io/freeipa/issue/8116 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-28 03:26:22 -06:00
self.master.domain.basedn
Consider configured servers as valid Under some conditions, ipa config-show and several other commands were failing with error message: ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled Amongst others the issue can be caused by a broken installation, when some services are left in state 'configuredServices'. The problem even block uninstallation or removal of replicas. Now configured servers are also consider valid providers for associated roles. A new test verifies that config-show works with hidden and configured HTTP service. Remark: The original intent of the sanity check is no longer clear to me. I think it was used to very that all services can be started by ipactl. Since ipactl starts hidden, configured, and enabled services, the new logic reflect the fact, too. Fixes: https://pagure.io/freeipa/issue/7929 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-29 04:12:30 -05:00
)
conn = self.master.ldap_connect()
entry = conn.get_entry(dn) # pylint: disable=no-member
# original setting and all settings without state
orig_cfg = list(entry['ipaConfigString'])
other_cfg = [item for item in orig_cfg if item not in states]
try:
# test with hidden
cfg = [HIDDEN_SERVICE]
cfg.extend(other_cfg)
entry['ipaConfigString'] = cfg
conn.update_entry(entry) # pylint: disable=no-member
self.master.run_command(['ipa', 'config-show'])
# test with configured
cfg = [CONFIGURED_SERVICE]
cfg.extend(other_cfg)
entry['ipaConfigString'] = cfg
conn.update_entry(entry) # pylint: disable=no-member
self.master.run_command(['ipa', 'config-show'])
finally:
# reset
entry['ipaConfigString'] = orig_cfg
conn.update_entry(entry) # pylint: disable=no-member
Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd on master for performance enhancement ssh from ipa client was failing Test Procedure: 1. setup a master 2. add ldap_deref_threshold=0 to sssd.conf on master 3. add an ipa user 4. ssh from controller to master using the user created in step 3 Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-24 04:55:35 -05:00
def test_ssh_from_controller(self):
"""https://pagure.io/SSSD/sssd/issue/3979
Test ssh from test controller after adding
ldap_deref_threshold=0 to sssd.conf on master
Steps:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
"""
sssd_version = ''
cmd_output = self.master.run_command(['sssd', '--version'])
sssd_version = platform_tasks.\
parse_ipa_version(cmd_output.stdout_text.strip())
if sssd_version.version < '2.2.0':
pytest.xfail(reason="sssd 2.2.0 unavailable in F29 nightly")
username = "testuser" + str(random.randint(200000, 9999999))
# add ldap_deref_threshold=0 to /etc/sssd/sssd.conf
domain = self.master.domain
tasks.modify_sssd_conf(
self.master,
domain.name,
{
'ldap_deref_threshold': 0
},
)
try:
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
# kinit admin
tasks.kinit_admin(self.master)
# add ipa user
cmd = ['ipa', 'user-add',
'--first', username,
'--last', username,
'--password', username]
input_passwd = 'Secret123\nSecret123\n'
cmd_output = self.master.run_command(cmd, stdin_text=input_passwd)
assert 'Added user "%s"' % username in cmd_output.stdout_text
input_passwd = 'Secret123\nSecret123\nSecret123\n'
self.master.run_command(['kinit', username],
stdin_text=input_passwd)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(self.master.hostname,
username=username,
password='Secret123')
client.close()
finally:
# revert back to original ldap config
# remove ldap_deref_threshold=0
tasks.modify_sssd_conf(
self.master,
domain.name,
{
'ldap_deref_threshold': None
},
)
self.master.run_command(['systemctl', 'restart', 'sssd.service'])
Added testcase to check capitalization fix while running ipa user-mod 1. This testcase checks that when ipa user-mod command is run with capital letters there is no error shown in the console, instead the modifications for first and last name of the user is applied. 2. Adding tasks.kinit_admin since the test was being executed as different user leading to permission issue. ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter. Check your permissions Issue: https://pagure.io/freeipa/issue/5879 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com>
2019-08-19 05:27:01 -05:00
def test_user_mod_change_capitalization_issue5879(self):
"""
Test that an existing user which has been modified using ipa user-mod
and has the first and last name beginning with caps does not
throw the error 'ipa: ERROR: Type or value exists:' and
instead gets modified
This is a test case for Pagure issue
https://pagure.io/freeipa/issue/5879
Steps:
1. setup a master
2. add ipa user on master
3. now run ipa user-mod and specifying capital letters in names
4. user details should be modified
5. ipa: ERROR: Type or value exists is not displayed on console.
"""
# Create an ipa-user
tasks.kinit_admin(self.master)
ipauser = 'ipauser1'
first = 'ipauser'
modfirst = 'IpaUser'
last = 'test'
modlast = 'Test'
password = 'Secret123'
self.master.run_command(
['ipa', 'user-add', ipauser, '--first', first, '--last', last,
'--password'],
stdin_text="%s\n%s\n" % (password, password))
cmd = self.master.run_command(
['ipa', 'user-mod', ipauser, '--first', modfirst,
'--last', modlast])
assert 'Modified user "%s"' % (ipauser) in cmd.stdout_text
assert 'First name: %s' % (modfirst) in cmd.stdout_text
assert 'Last name: %s' % (modlast) in cmd.stdout_text
ipatests: add test to check that only TLS 1.2 is enabled in Apache Related to: https://pagure.io/freeipa/issue/7995 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-18 07:53:02 -05:00
def test_enabled_tls_protocols(self):
Don't hard-code client's TLS versions and ciphers Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-11-22 03:42:11 -06:00
"""Check Apache has same TLS versions enabled as crypto policy
ipatests: add test to check that only TLS 1.2 is enabled in Apache Related to: https://pagure.io/freeipa/issue/7995 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-18 07:53:02 -05:00
This is the regression test for issue
https://pagure.io/freeipa/issue/7995.
"""
def is_tls_version_enabled(tls_version):
res = self.master.run_command(
['openssl', 's_client',
'-connect', '{}:443'.format(self.master.hostname),
'-{}'.format(tls_version)],
stdin_text='\n',
ok_returncode=[0, 1]
)
return res.returncode == 0
Don't hard-code client's TLS versions and ciphers Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-11-22 03:42:11 -06:00
# get minimum version from current crypto-policy
openssl_cnf = self.master.get_file_contents(
"/etc/crypto-policies/back-ends/opensslcnf.config",
encoding="utf-8"
)
mo = re.search(r"MinProtocol\s*=\s*(TLSv[0-9.]+)", openssl_cnf)
assert mo
min_tls = mo.group(1)
# Fedora DEFAULT has TLS 1.0 enabled, NEXT has TLS 1.2
# even FUTURE crypto policy has TLS 1.2 as minimum version
assert min_tls in {"TLSv1", "TLSv1.2"}
# On Fedora FreeIPA still disables TLS 1.0 and 1.1 in ssl.conf.
ipatests: add test to check that only TLS 1.2 is enabled in Apache Related to: https://pagure.io/freeipa/issue/7995 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-18 07:53:02 -05:00
assert not is_tls_version_enabled('tls1')
assert not is_tls_version_enabled('tls1_1')
assert is_tls_version_enabled('tls1_2')
Don't hard-code client's TLS versions and ciphers Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-11-22 03:42:11 -06:00
assert is_tls_version_enabled('tls1_3')
ipatests: add check that ipa-adtrust-install generates sane smb.conf Related to: https://pagure.io/freeipa/issue/6951 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-11-22 04:12:58 -06:00
def test_samba_config_file(self):
"""Check that ipa-adtrust-install generates sane smb.conf
This is regression test for issue
https://pagure.io/freeipa/issue/6951
"""
self.master.run_command(
['ipa-adtrust-install', '-a', 'Secret123', '--add-sids', '-U'])
res = self.master.run_command(['testparm', '-s'])
assert 'ERROR' not in (res.stdout_text + res.stderr_text)
ipatests : Login via ssh using private-key for ipa-user should work. Added test for : https://pagure.io/SSSD/sssd/issue/3937 Signed-off-by: Anuja More <amore@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-10-18 06:48:20 -05:00
ipatests: Skip test_sss_ssh_authorizedkeys method Temporarily skipping test due to unknown time-outs happening regularly. Issue: https://pagure.io/freeipa/issue/8151 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2019-12-16 12:40:58 -06:00
@pytest.mark.skip(reason='https://pagure.io/freeipa/issue/8151')
ipatests : Login via ssh using private-key for ipa-user should work. Added test for : https://pagure.io/SSSD/sssd/issue/3937 Signed-off-by: Anuja More <amore@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-10-18 06:48:20 -05:00
def test_sss_ssh_authorizedkeys(self):
"""Login via Ssh using private-key for ipa-user should work.
Test for : https://pagure.io/SSSD/sssd/issue/3937
Steps:
1) setup user with ssh-key and certificate stored in ipaserver
2) simulate p11_child timeout
3) try to login via ssh using private key.
"""
user = 'testsshuser'
passwd = 'Secret123'
user_key = tasks.create_temp_file(self.master, create_file=False)
pem_file = tasks.create_temp_file(self.master)
# Create a user with a password
ipatests: Improve test_commands reliability Sometimes ssh command gets stuck, running manually without passing a command to be executed this is returned: ``` $ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \ -o StrictHostKeyChecking=no -l testsshuser \ -i /tmp/tmp.rQIT3KYScX master.ipa.test Could not chdir to home directory /home/testsshuser: No such file or directory ``` This commit forces the homedir creation and adds a timeout to ssh. Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-13 15:28:41 -06:00
tasks.create_active_user(self.master, user, passwd, extra_args=[
'--homedir', '/home/{}'.format(user)])
ipatests : Login via ssh using private-key for ipa-user should work. Added test for : https://pagure.io/SSSD/sssd/issue/3937 Signed-off-by: Anuja More <amore@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-10-18 06:48:20 -05:00
tasks.kinit_admin(self.master)
tasks.run_command_as_user(
self.master, user, ['ssh-keygen', '-N', '',
'-f', user_key])
ssh_pub_key = self.master.get_file_contents('{}.pub'.format(
user_key), encoding='utf-8')
openssl_cmd = [
'openssl', 'req', '-x509', '-newkey', 'rsa:2048', '-days', '365',
'-nodes', '-out', pem_file, '-subj', '/CN=' + user]
self.master.run_command(openssl_cmd)
cert_b64 = self.get_cert_base64(self.master, pem_file)
sssd_p11_child = '/usr/libexec/sssd/p11_child'
backup = tasks.FileBackup(self.master, sssd_p11_child)
try:
content = '#!/bin/bash\nsleep 999999'
# added sleep to simulate the timeout for p11_child
self.master.put_file_contents(sssd_p11_child, content)
self.master.run_command(
['ipa', 'user-mod', user, '--ssh', ssh_pub_key])
self.master.run_command([
'ipa', 'user-add-cert', user, '--certificate', cert_b64])
# clear cache to avoid SSSD to check the user in old lookup
tasks.clear_sssd_cache(self.master)
result = self.master.run_command(
[paths.SSS_SSH_AUTHORIZEDKEYS, user])
assert ssh_pub_key in result.stdout_text
# login to the system
self.master.run_command(
['ssh', '-o', 'PasswordAuthentication=no',
'-o', 'IdentitiesOnly=yes', '-o', 'StrictHostKeyChecking=no',
ipatests: Improve test_commands reliability Sometimes ssh command gets stuck, running manually without passing a command to be executed this is returned: ``` $ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \ -o StrictHostKeyChecking=no -l testsshuser \ -i /tmp/tmp.rQIT3KYScX master.ipa.test Could not chdir to home directory /home/testsshuser: No such file or directory ``` This commit forces the homedir creation and adds a timeout to ssh. Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-13 15:28:41 -06:00
'-o', 'ConnectTimeout=10', '-l', user, '-i', user_key,
self.master.hostname, 'true'])
ipatests : Login via ssh using private-key for ipa-user should work. Added test for : https://pagure.io/SSSD/sssd/issue/3937 Signed-off-by: Anuja More <amore@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-10-18 06:48:20 -05:00
finally:
# cleanup
self.master.run_command(['ipa', 'user-del', user])
backup.restore()
self.master.run_command(['rm', '-f', pem_file, user_key,
'{}.pub'.format(user_key)])
Add tests for ipa-cacert-manage delete command This tests the following cases: - deletion without nickname (expect fail) - deletion with an unknown nickname (expect fail) - deletion of IPA CA (expect fail) - deletion of a root CA needed by a subCA (expect fail) - deletion of a root CA needed by a subCA with --force (ok) - deletion of a subca (ok) As a side-effect this also tests install by installing the LE root and a sub-ca. The sub-ca expires in 2021 but I tested in the future the ipa-cacert-manage install doesn't do date validation so for now this is ok. https://pagure.io/freeipa/issue/8124 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-27 16:34:48 -06:00
def test_cacert_manage(self):
"""Exercise ipa-cacert-manage delete"""
# deletion without nickname
result = self.master.run_command(
['ipa-cacert-manage', 'delete'],
raiseonerr=False
)
assert result.returncode != 0
# deletion with an unknown nickname
result = self.master.run_command(
['ipa-cacert-manage', 'delete', 'unknown'],
raiseonerr=False
)
assert result.returncode != 0
assert "Unknown CA 'unknown'" in result.stderr_text
# deletion of IPA CA
ipa_ca_nickname = get_ca_nickname(self.master.domain.realm)
result = self.master.run_command(
['ipa-cacert-manage', 'delete', ipa_ca_nickname],
raiseonerr=False
)
assert result.returncode != 0
assert 'The IPA CA cannot be removed with this tool' in \
result.stderr_text
# Install 3rd party CA's, Let's Encrypt in this case
for cert in (isrgrootx1, letsencryptauthorityx3):
certfile = os.path.join(self.master.config.test_dir, 'cert.pem')
self.master.put_file_contents(certfile, cert)
result = self.master.run_command(
['ipa-cacert-manage', 'install', certfile],
)
# deletion of a root CA needed by a subCA, without -f option
result = self.master.run_command(
['ipa-cacert-manage', 'delete', isrgrootx1_nick],
raiseonerr=False
)
assert result.returncode != 0
assert "Verifying \'%s\' failed. Removing part of the " \
"chain? certutil: certificate is invalid: Peer's " \
"Certificate issuer is not recognized." \
% isrgrootx1_nick in result.stderr_text
# deletion of a root CA needed by a subCA, with -f option
result = self.master.run_command(
['ipa-cacert-manage', 'delete', isrgrootx1_nick, '-f'],
raiseonerr=False
)
assert result.returncode == 0
# deletion of a subca
result = self.master.run_command(
['ipa-cacert-manage', 'delete', le_x3_nick],
raiseonerr=False
)
assert result.returncode == 0
Reference in New Issue Copy Permalink