mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Tests: Providing trust tests with tree root domain
https://fedorahosted.org/freeipa/ticket/6347 Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
This commit is contained in:
parent
2dd66c6366
commit
4df1d9d1a5
@ -172,7 +172,7 @@ def mh(request, class_integration_logs):
|
||||
for _i in range(cls.num_ad_domains):
|
||||
domain_descriptions.append({
|
||||
'type': 'AD',
|
||||
'hosts': {'ad': 1, 'ad_subdomain': 1},
|
||||
'hosts': {'ad': 1, 'ad_subdomain': 1, 'ad_treedomain': 1},
|
||||
})
|
||||
|
||||
mh = make_multihost_fixture(
|
||||
|
@ -31,7 +31,7 @@ class ADTrustBase(IntegrationTest):
|
||||
|
||||
topology = 'line'
|
||||
num_ad_domains = 1
|
||||
optional_extra_roles = ['ad_subdomain']
|
||||
optional_extra_roles = ['ad_subdomain', 'ad_treedomain']
|
||||
|
||||
@classmethod
|
||||
def install(cls, mh):
|
||||
@ -52,6 +52,14 @@ class ADTrustBase(IntegrationTest):
|
||||
except LookupError:
|
||||
cls.ad_subdomain = None
|
||||
|
||||
# Determine whether the tree domain AD is available
|
||||
try:
|
||||
cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1])
|
||||
cls.ad_treedomain = '.'.join(
|
||||
cls.tree_ad.hostname.split('.')[1:])
|
||||
except LookupError:
|
||||
cls.ad_treedomain = None
|
||||
|
||||
cls.configure_dns_and_time()
|
||||
|
||||
@classmethod
|
||||
@ -98,9 +106,10 @@ class ADTrustBase(IntegrationTest):
|
||||
'trustdomain-find',
|
||||
self.ad_domain])
|
||||
|
||||
# Check that both trustdomains appear in the result
|
||||
# Check that all trustdomains appear in the result
|
||||
assert self.ad_domain in result.stdout_text
|
||||
assert self.ad_subdomain in result.stdout_text
|
||||
assert self.ad_treedomain in result.stdout_text
|
||||
|
||||
|
||||
class ADTrustSubdomainBase(ADTrustBase):
|
||||
@ -116,20 +125,26 @@ class ADTrustSubdomainBase(ADTrustBase):
|
||||
@classmethod
|
||||
def install(cls, mh):
|
||||
super(ADTrustSubdomainBase, cls).install(mh)
|
||||
cls.ad = cls.ad_domains[0].ads[0]
|
||||
cls.ad_domain = cls.ad.domain.name
|
||||
cls.install_adtrust()
|
||||
cls.check_sid_generation()
|
||||
|
||||
# Determine whether the subdomain AD is available
|
||||
# if not, skip the whole suite
|
||||
try:
|
||||
cls.child_ad = cls.host_by_role(cls.optional_extra_roles[0])
|
||||
cls.ad_subdomain = '.'.join(cls.child_ad.hostname.split('.')[1:])
|
||||
except LookupError:
|
||||
if not cls.ad_subdomain:
|
||||
raise nose.SkipTest('AD subdomain is not available.')
|
||||
|
||||
cls.configure_dns_and_time()
|
||||
|
||||
class ADTrustTreedomainBase(ADTrustBase):
|
||||
"""
|
||||
Base class for tests involving tree root domains of trusted forests
|
||||
"""
|
||||
|
||||
@classmethod
|
||||
def configure_dns_and_time(cls):
|
||||
tasks.configure_dns_for_trust(cls.master, cls.ad_treedomain)
|
||||
tasks.sync_time(cls.master, cls.tree_ad)
|
||||
|
||||
@classmethod
|
||||
def install(cls, mh):
|
||||
super(ADTrustTreedomainBase, cls).install(mh)
|
||||
if not cls.ad_treedomain:
|
||||
raise nose.SkipTest('AD tree root domain is not available.')
|
||||
|
||||
|
||||
class TestBasicADTrust(ADTrustBase):
|
||||
"""Basic Integration test for Active Directory"""
|
||||
@ -343,6 +358,73 @@ class TestNonexternalTrustWithSubdomain(ADTrustSubdomainBase):
|
||||
'Test case unapplicable, present for inheritance reason only')
|
||||
|
||||
|
||||
class TestExternalTrustWithTreedomain(ADTrustTreedomainBase):
|
||||
"""
|
||||
Test establishing external trust with tree root domain
|
||||
"""
|
||||
|
||||
def test_establish_trust(self):
|
||||
""" Tests establishing external trust with Active Directory """
|
||||
tasks.establish_trust_with_ad(
|
||||
self.master, self.ad_treedomain,
|
||||
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
|
||||
|
||||
def test_all_trustdomains_found(self):
|
||||
""" Test that only one trustdomain is found """
|
||||
result = self.master.run_command(['ipa', 'trustdomain-find',
|
||||
self.ad_treedomain])
|
||||
|
||||
assert self.ad_treedomain in result.stdout_text
|
||||
assert "Number of entries returned 1" in result.stdout_text
|
||||
|
||||
def test_user_gid_uid_resolution_in_nonposix_trust(self):
|
||||
""" Check that user has SID-generated UID """
|
||||
testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
|
||||
result = self.master.run_command(['getent', 'passwd', testuser])
|
||||
|
||||
testuser_regex = ("^treetestuser@{0}:\*:(?!10242)(\d+):"
|
||||
"(?!10247)(\d+):TreeTest User:"
|
||||
"/home/{1}/treetestuser:/bin/sh$".format(
|
||||
re.escape(self.ad_treedomain),
|
||||
re.escape(self.ad_treedomain)))
|
||||
|
||||
assert re.search(testuser_regex, result.stdout_text)
|
||||
|
||||
def test_remove_nonposix_trust(self):
|
||||
tasks.remove_trust_with_ad(self.master, self.ad_treedomain)
|
||||
tasks.clear_sssd_cache(self.master)
|
||||
|
||||
|
||||
class TestNonexternalTrustWithTreedomain(ADTrustTreedomainBase):
|
||||
"""
|
||||
Tests that a non-external trust to a tree root domain cannot be established
|
||||
"""
|
||||
def test_establish_trust(self):
|
||||
""" Tests establishing non-external trust with Active Directory """
|
||||
self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
|
||||
'HTTP/%s' % self.master.hostname])
|
||||
self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
|
||||
self.master.run_command(['kdestroy', '-A'])
|
||||
|
||||
tasks.kinit_admin(self.master)
|
||||
self.master.run_command(['klist'])
|
||||
self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
|
||||
|
||||
result = self.master.run_command([
|
||||
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin',
|
||||
'Administrator', '--password', '--range-type', 'ipa-ad-trust'
|
||||
], stdin_text=self.master.config.ad_admin_password,
|
||||
raiseonerr=False)
|
||||
|
||||
assert result != 0
|
||||
assert ("Domain '{0}' is not a root domain".format(
|
||||
self.ad_treedomain) in result.stderr_text)
|
||||
|
||||
def test_all_trustdomains_found(self):
|
||||
raise nose.SkipTest(
|
||||
'Test case unapplicable, present for inheritance reason only')
|
||||
|
||||
|
||||
class TestExternalTrustWithRootDomain(ADTrustSubdomainBase):
|
||||
"""
|
||||
Test establishing external trust with root domain
|
||||
|
Loading…
Reference in New Issue
Block a user