IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-13 01:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity
bcfd18f336
freeipa/ipatests/test_integration/test_commands.py

358 lines
13 KiB
Python
Raw Normal View History

Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
#
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
#
"""Misc test for 'ipa' CLI regressions
"""
from __future__ import absolute_import
import base64
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
import re
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
import os
import logging
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
import ssl
Rename test class for testing simple commands, add test The concensus in the review was that the name test_commands was more generic than test_ipa_cli. Add a test to change the password for sysaccount users using using ldappasswd to confirm that a segfault fix does not regress. https://pagure.io/freeipa/issue/7561 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 09:16:24 -05:00
from tempfile import NamedTemporaryFile
import textwrap
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
import time
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
import paramiko
import pytest
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
Rename pytest_plugins to ipatests.pytest_ipa pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string "pytest_plugins" is used as marker to load plugins. By populare vote and to avoid future conflicts, we decided to rename the directory to pytest_ipa. Fixes: https://pagure.io/freeipa/issue/7663 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-08-02 06:45:19 -05:00
from ipatests.pytest_ipa.integration import tasks
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
logger = logging.getLogger(__name__)
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
class TestIPACommand(IntegrationTest):
Rename test class for testing simple commands, add test The concensus in the review was that the name test_commands was more generic than test_ipa_cli. Add a test to change the password for sysaccount users using using ldappasswd to confirm that a segfault fix does not regress. https://pagure.io/freeipa/issue/7561 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 09:16:24 -05:00
"""
A lot of commands can be executed against a single IPA installation
so provide a generic class to execute one-off commands that need to be
tested without having to fire up a full server to run one command.
"""
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-27 05:29:17 -05:00
topology = 'line'
def get_cert_base64(self, host, path):
"""Retrieve cert and return content as single line, base64 encoded
"""
cacrt = host.get_file_contents(path, encoding='ascii')
cader = ssl.PEM_cert_to_DER_cert(cacrt)
return base64.b64encode(cader).decode('ascii')
def test_certmap_match_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
result = self.master.run_command(
['ipa', 'certmap-match', paths.IPA_CA_CRT],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'certmap-match', '--certificate', cab64],
raiseonerr=False
)
assert result.returncode == 1
assert not result.stderr_text
assert "0 users matched" in result.stdout_text
def test_cert_find_issue7520(self):
# https://pagure.io/freeipa/issue/7520
tasks.kinit_admin(self.master)
subject = 'CN=Certificate Authority,O={}'.format(
self.master.domain.realm)
# by cert file
result = self.master.run_command(
['ipa', 'cert-find', '--file', paths.IPA_CA_CRT]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
# by base64 cert
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
result = self.master.run_command(
['ipa', 'cert-find', '--certificate', cab64]
)
assert subject in result.stdout_text
assert '1 certificate matched' in result.stdout_text
Reproducer for issue 5923 (bytes in error response) Error response used to contain bytes instead of text, which triggered an exception. See: https://pagure.io/freeipa/issue/5923 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-24 08:38:33 -05:00
def test_add_permission_failure_issue5923(self):
# https://pagure.io/freeipa/issue/5923
# error response used to contain bytes instead of text
tasks.kinit_admin(self.master)
# neither privilege nor permission exists
result = self.master.run_command(
["ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"],
raiseonerr=False
)
assert result.returncode == 2
err = result.stderr_text.strip() # pylint: disable=no-member
assert err == "ipa: ERROR: loc: privilege not found"
# add privilege
result = self.master.run_command(
["ipa", "privilege-add", "loc"],
)
assert 'Added privilege "loc"' in result.stdout_text
# permission is still missing
result = self.master.run_command(
["ipa", "privilege-add-permission", "loc",
"--permission='System: Show IPA Locations"],
raiseonerr=False
)
assert result.returncode == 1
assert "Number of permissions added 0" in result.stdout_text
Rename test class for testing simple commands, add test The concensus in the review was that the name test_commands was more generic than test_ipa_cli. Add a test to change the password for sysaccount users using using ldappasswd to confirm that a segfault fix does not regress. https://pagure.io/freeipa/issue/7561 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 09:16:24 -05:00
def test_change_sysaccount_password_issue7561(self):
sysuser = 'system'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
master = self.master
base_dn = str(master.domain.basedn) # pylint: disable=no-member
tf = NamedTemporaryFile()
ldif_file = tf.name
entry_ldif = textwrap.dedent("""
dn: uid=system,cn=sysaccounts,cn=etc,{base_dn}
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: {original_passwd}
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
""").format(
base_dn=base_dn,
original_passwd=original_passwd)
master.put_file_contents(ldif_file, entry_ldif)
arg = ['ldapmodify',
'-h', master.hostname,
'-p', '389', '-D',
str(master.config.dirman_dn), # pylint: disable=no-member
'-w', master.config.dirman_password,
'-f', ldif_file]
master.run_command(arg)
tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
new_passwd, master)
Use replace instead of add to set new default ipaSELinuxUserMapOrder The add was in effect replacing whatever data was already there causing any custom order to be lost on each run of ipa-server-upgrade. https://pagure.io/freeipa/issue/6610 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-01 14:19:35 -05:00
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
def test_ldapmodify_password_issue7601(self):
user = 'ipauser'
original_passwd = 'Secret123'
new_passwd = 'userPasswd123'
new_passwd2 = 'mynewPwd123'
master = self.master
base_dn = str(master.domain.basedn) # pylint: disable=no-member
# Create a user with a password
tasks.kinit_admin(master)
add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd)
master.run_command(['ipa', 'user-add', user,
'--first', user,
'--last', user,
'--password'],
stdin_text=add_password_stdin_text)
# kinit as that user in order to modify the pwd
user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format(
old=original_passwd,
new=original_passwd)
master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
# Retrieve krblastpwdchange and krbpasswordexpiration
search_cmd = [
'ldapsearch', '-x',
'-D', 'cn=directory manager',
'-w', master.config.dirman_password,
'-s', 'base',
'-b', 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
user=user, base_dn=base_dn),
'-o', 'ldif-wrap=no',
'-LLL',
'krblastpwdchange',
'krbpasswordexpiration']
output = master.run_command(search_cmd).stdout_text.lower()
# extract krblastpwdchange and krbpasswordexpiration
krbchg_pattern = 'krblastpwdchange: (.+)\n'
krbexp_pattern = 'krbpasswordexpiration: (.+)\n'
krblastpwdchange = re.findall(krbchg_pattern, output)[0]
krbexp = re.findall(krbexp_pattern, output)[0]
# sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
# a 1s precision)
time.sleep(1)
# perform ldapmodify on userpassword as dir mgr
mod = NamedTemporaryFile()
ldif_file = mod.name
entry_ldif = textwrap.dedent("""
dn: uid={user},cn=users,cn=accounts,{base_dn}
changetype: modify
replace: userpassword
userpassword: {new_passwd}
""").format(
user=user,
base_dn=base_dn,
new_passwd=new_passwd)
master.put_file_contents(ldif_file, entry_ldif)
arg = ['ldapmodify',
'-h', master.hostname,
'-p', '389', '-D',
str(master.config.dirman_dn), # pylint: disable=no-member
'-w', master.config.dirman_password,
'-f', ldif_file]
master.run_command(arg)
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd)
# Retrieve krblastpwdchange and krbpasswordexpiration
output = master.run_command(search_cmd).stdout_text.lower()
# extract krblastpwdchange and krbpasswordexpiration
newkrblastpwdchange = re.findall(krbchg_pattern, output)[0]
newkrbexp = re.findall(krbexp_pattern, output)[0]
# both should have changed
assert newkrblastpwdchange != krblastpwdchange
assert newkrbexp != krbexp
# Now test passwd modif with ldappasswd
time.sleep(1)
master.run_command([
paths.LDAPPASSWD,
'-D', str(master.config.dirman_dn), # pylint: disable=no-member
'-w', master.config.dirman_password,
'-a', new_passwd,
'-s', new_passwd2,
'-x', '-ZZ',
'-H', 'ldap://{hostname}'.format(hostname=master.hostname),
'uid={user},cn=users,cn=accounts,{base_dn}'.format(
user=user, base_dn=base_dn)]
)
# Test new password with kinit
master.run_command(['kinit', user], stdin_text=new_passwd2)
# Retrieve krblastpwdchange and krbpasswordexpiration
output = master.run_command(search_cmd).stdout_text.lower()
# extract krblastpwdchange and krbpasswordexpiration
newkrblastpwdchange2 = re.findall(krbchg_pattern, output)[0]
newkrbexp2 = re.findall(krbexp_pattern, output)[0]
# both should have changed
assert newkrblastpwdchange != newkrblastpwdchange2
assert newkrbexp != newkrbexp2
Use replace instead of add to set new default ipaSELinuxUserMapOrder The add was in effect replacing whatever data was already there causing any custom order to be lost on each run of ipa-server-upgrade. https://pagure.io/freeipa/issue/6610 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-01 14:19:35 -05:00
def test_change_selinuxusermaporder(self):
"""
An update file meant to ensure a more sane default was
overriding any customization done to the order.
"""
maporder = "unconfined_u:s0-s0:c0.c1023"
# set a new default
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
tasks.kinit_admin(self.master)
Use replace instead of add to set new default ipaSELinuxUserMapOrder The add was in effect replacing whatever data was already there causing any custom order to be lost on each run of ipa-server-upgrade. https://pagure.io/freeipa/issue/6610 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-01 14:19:35 -05:00
result = self.master.run_command(
["ipa", "config-mod",
"--ipaselinuxusermaporder={}".format(maporder)],
raiseonerr=False
)
assert result.returncode == 0
# apply the update
result = self.master.run_command(
["ipa-server-upgrade"],
raiseonerr=False
)
assert result.returncode == 0
# ensure result is the same
result = self.master.run_command(
["ipa", "config-show"],
raiseonerr=False
)
assert result.returncode == 0
assert "SELinux user map order: {}".format(
maporder) in result.stdout_text
Fix ipa console filename THe ipa console command takes an optional filename argument. The filename argument was broken, because the implementation passed a file object to exec() instead of a string or compiled object. ipa console now uses compile() to compile the code with print_function __future__ feature. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-12 07:50:40 -05:00
def test_ipa_console(self):
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
tasks.kinit_admin(self.master)
Fix ipa console filename THe ipa console command takes an optional filename argument. The filename argument was broken, because the implementation passed a file object to exec() instead of a string or compiled object. ipa console now uses compile() to compile the code with print_function __future__ feature. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-12 07:50:40 -05:00
result = self.master.run_command(
["ipa", "console"],
stdin_text="api.env"
)
assert "ipalib.config.Env" in result.stdout_text
filename = tasks.upload_temp_contents(
self.master,
"print(api.env)\n"
)
result = self.master.run_command(
["ipa", "console", filename],
)
assert "ipalib.config.Env" in result.stdout_text
Fix regression: Handle unicode where str is expected Regression caused by 947ac4bc1f6f4016cf5baf2ecb4577e893bc3948 when trying to fix a similar issue for clients running Python 3. However, that fix broke Python 2 clients. Issue: https://pagure.io/freeipa/issue/7626 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-17 14:08:49 -05:00
def test_list_help_topics(self):
Tests: add integration test for password changes by dir mgr Add a test for issue 7601: - add a user, perform kinit user to modify the password, read krblastpwdchange and krbpasswordexpiration. - perform a ldapmodify on the password as dir mgr - make sure that krblastpwdchange and krbpasswordexpiration have been modified - perform the same check with ldappasswd Related to: https://pagure.io/freeipa/issue/7601 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-02 09:59:07 -05:00
tasks.kinit_admin(self.master)
Fix regression: Handle unicode where str is expected Regression caused by 947ac4bc1f6f4016cf5baf2ecb4577e893bc3948 when trying to fix a similar issue for clients running Python 3. However, that fix broke Python 2 clients. Issue: https://pagure.io/freeipa/issue/7626 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-17 14:08:49 -05:00
result = self.master.run_command(
["ipa", "help", "topics"],
raiseonerr=False
)
assert result.returncode == 0
ipa_tests: test ssh keys login Integration test for: https://pagure.io/SSSD/sssd/issue/3747 IPA ticket: https://pagure.io/freeipa/issue/7664 Reviewed-By: Armando Neto <abiagion@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-31 06:24:01 -05:00
def test_ssh_key_connection(self, tmpdir):
"""
Integration test for https://pagure.io/SSSD/sssd/issue/3747
"""
test_user = 'test-ssh'
master = self.master.hostname
pub_keys = []
for i in range(40):
ssh_key_pair = tasks.generate_ssh_keypair()
pub_keys.append(ssh_key_pair[1])
with open(os.path.join(
tmpdir, 'ssh_priv_{}'.format(i)), 'w') as fp:
fp.write(ssh_key_pair[0])
tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-add', test_user,
'--first=tester', '--last=tester'])
keys_opts = ' '.join(['--ssh "{}"'.format(k) for k in pub_keys])
cmd = 'ipa user-mod {} {}'.format(test_user, keys_opts)
self.master.run_command(cmd)
# connect with first SSH key
first_priv_key_path = os.path.join(tmpdir, 'ssh_priv_1')
# change private key permission to comply with SS rules
os.chmod(first_priv_key_path, 0o600)
sshcon = paramiko.SSHClient()
sshcon.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# first connection attempt is a workaround for
# https://pagure.io/SSSD/sssd/issue/3669
try:
sshcon.connect(master, username=test_user,
key_filename=first_priv_key_path, timeout=1)
except (paramiko.AuthenticationException, paramiko.SSHException):
pass
try:
sshcon.connect(master, username=test_user,
key_filename=first_priv_key_path, timeout=1)
except (paramiko.AuthenticationException,
paramiko.SSHException) as e:
pytest.fail('Authentication using SSH key not successful', e)
journal_cmd = ['journalctl', '--since=today', '-u', 'sshd']
result = self.master.run_command(journal_cmd)
output = result.stdout_text
assert not re.search('exited on signal 13', output)
# cleanup
self.master.run_command(['ipa', 'user-del', test_user])
Reference in New Issue Copy Permalink