mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
ipatests: refactor test_trust.py
Tests in test_trust.py were organized in ten classes, one for each trust type, requiring ten cycles of ipaserver installation/uninstallation and the full test run lasted for about 5500 seconds. There is no need in reinstallation of ipaserver between establishing different types of trust. I moved all tests to sinle class, preserving test logic. Additional changes: * TestEnforcedPosixADTrust was totally removed as it was duplicate of TestPosixADTrust * code of repeated checks was moved to methods * A task was cretated for cleaning up DNS configuration changes made for establishing trust Related to https://pagure.io/freeipa/issue/7889 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
94a6cb11ea
commit
c819716521
@ -568,6 +568,7 @@ def install_adtrust(host):
|
|||||||
|
|
||||||
|
|
||||||
def disable_dnssec_validation(host):
|
def disable_dnssec_validation(host):
|
||||||
|
backup_file(host, paths.NAMED_CONF)
|
||||||
named_conf = host.get_file_contents(paths.NAMED_CONF)
|
named_conf = host.get_file_contents(paths.NAMED_CONF)
|
||||||
named_conf = re.sub(br'dnssec-validation\s*yes;', b'dnssec-validation no;',
|
named_conf = re.sub(br'dnssec-validation\s*yes;', b'dnssec-validation no;',
|
||||||
named_conf)
|
named_conf)
|
||||||
@ -575,30 +576,35 @@ def disable_dnssec_validation(host):
|
|||||||
restart_named(host)
|
restart_named(host)
|
||||||
|
|
||||||
|
|
||||||
|
def restore_dnssec_validation(host):
|
||||||
|
restore_files(host)
|
||||||
|
restart_named(host)
|
||||||
|
|
||||||
|
|
||||||
|
def is_subdomain(subdomain, domain):
|
||||||
|
subdomain_unpacked = subdomain.split('.')
|
||||||
|
domain_unpacked = domain.split('.')
|
||||||
|
|
||||||
|
subdomain_unpacked.reverse()
|
||||||
|
domain_unpacked.reverse()
|
||||||
|
|
||||||
|
subdomain = False
|
||||||
|
|
||||||
|
if len(subdomain_unpacked) > len(domain_unpacked):
|
||||||
|
subdomain = True
|
||||||
|
|
||||||
|
for subdomain_segment, domain_segment in zip(subdomain_unpacked,
|
||||||
|
domain_unpacked):
|
||||||
|
subdomain = subdomain and subdomain_segment == domain_segment
|
||||||
|
|
||||||
|
return subdomain
|
||||||
|
|
||||||
def configure_dns_for_trust(master, ad):
|
def configure_dns_for_trust(master, ad):
|
||||||
"""
|
"""
|
||||||
This configures DNS on IPA master according to the relationship of the
|
This configures DNS on IPA master according to the relationship of the
|
||||||
IPA's and AD's domains.
|
IPA's and AD's domains.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def is_subdomain(subdomain, domain):
|
|
||||||
subdomain_unpacked = subdomain.split('.')
|
|
||||||
domain_unpacked = domain.split('.')
|
|
||||||
|
|
||||||
subdomain_unpacked.reverse()
|
|
||||||
domain_unpacked.reverse()
|
|
||||||
|
|
||||||
subdomain = False
|
|
||||||
|
|
||||||
if len(subdomain_unpacked) > len(domain_unpacked):
|
|
||||||
subdomain = True
|
|
||||||
|
|
||||||
for subdomain_segment, domain_segment in zip(subdomain_unpacked,
|
|
||||||
domain_unpacked):
|
|
||||||
subdomain = subdomain and subdomain_segment == domain_segment
|
|
||||||
|
|
||||||
return subdomain
|
|
||||||
|
|
||||||
kinit_admin(master)
|
kinit_admin(master)
|
||||||
|
|
||||||
if is_subdomain(ad.domain.name, master.domain.name):
|
if is_subdomain(ad.domain.name, master.domain.name):
|
||||||
@ -621,6 +627,23 @@ def configure_dns_for_trust(master, ad):
|
|||||||
])
|
])
|
||||||
|
|
||||||
|
|
||||||
|
def unconfigure_dns_for_trust(master, ad):
|
||||||
|
"""
|
||||||
|
This undoes changes made by configure_dns_for_trust
|
||||||
|
"""
|
||||||
|
kinit_admin(master)
|
||||||
|
if is_subdomain(ad.domain.name, master.domain.name):
|
||||||
|
master.run_command(['ipa', 'dnsrecord-del', master.domain.name,
|
||||||
|
'%s.%s' % (ad.shortname, ad.netbios),
|
||||||
|
'--a-rec', ad.ip])
|
||||||
|
master.run_command(['ipa', 'dnsrecord-del', master.domain.name,
|
||||||
|
ad.netbios,
|
||||||
|
'--ns-rec', '%s.%s' % (ad.shortname, ad.netbios)])
|
||||||
|
else:
|
||||||
|
master.run_command(['ipa', 'dnsforwardzone-del', ad.domain.name])
|
||||||
|
restore_dnssec_validation(master)
|
||||||
|
|
||||||
|
|
||||||
def establish_trust_with_ad(master, ad_domain, extra_args=()):
|
def establish_trust_with_ad(master, ad_domain, extra_args=()):
|
||||||
"""
|
"""
|
||||||
Establishes trust with Active Directory. Trust type is detected depending
|
Establishes trust with Active Directory. Trust type is detected depending
|
||||||
|
@ -1,21 +1,4 @@
|
|||||||
# Authors:
|
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
||||||
# Tomas Babej <tbabej@redhat.com>
|
|
||||||
#
|
|
||||||
# Copyright (C) 2013 Red Hat
|
|
||||||
# see file 'COPYING' for use and warranty information
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
from __future__ import absolute_import
|
from __future__ import absolute_import
|
||||||
|
|
||||||
@ -24,45 +7,38 @@ import unittest
|
|||||||
|
|
||||||
from ipatests.test_integration.base import IntegrationTest
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
from ipatests.pytest_ipa.integration import tasks
|
from ipatests.pytest_ipa.integration import tasks
|
||||||
from ipaplatform.paths import paths
|
|
||||||
|
|
||||||
|
|
||||||
class ADTrustBase(IntegrationTest):
|
class TestTrust(IntegrationTest):
|
||||||
"""Provides common checks for the AD trust integration testing."""
|
|
||||||
|
|
||||||
topology = 'line'
|
topology = 'line'
|
||||||
num_ad_domains = 1
|
num_ad_domains = 1
|
||||||
num_ad_subdomains = 1
|
num_ad_subdomains = 1
|
||||||
num_ad_treedomains = 1
|
num_ad_treedomains = 1
|
||||||
|
|
||||||
|
upn_suffix = 'UPNsuffix.com'
|
||||||
|
upn_username = 'upnuser'
|
||||||
|
upn_name = 'UPN User'
|
||||||
|
upn_principal = '{}@{}'.format(upn_username, upn_suffix)
|
||||||
|
upn_password = 'Secret123456'
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def install(cls, mh):
|
def install(cls, mh):
|
||||||
if not cls.master.transport.file_exists('/usr/bin/rpcclient'):
|
if not cls.master.transport.file_exists('/usr/bin/rpcclient'):
|
||||||
raise unittest.SkipTest("Package samba-client not available "
|
raise unittest.SkipTest("Package samba-client not available "
|
||||||
"on {}".format(cls.master.hostname))
|
"on {}".format(cls.master.hostname))
|
||||||
super(ADTrustBase, cls).install(mh)
|
super(TestTrust, cls).install(mh)
|
||||||
cls.ad = cls.ads[0]
|
cls.ad = cls.ads[0] # pylint: disable=no-member
|
||||||
cls.ad_domain = cls.ad.domain.name
|
cls.ad_domain = cls.ad.domain.name
|
||||||
cls.install_adtrust()
|
tasks.install_adtrust(cls.master)
|
||||||
cls.check_sid_generation()
|
cls.check_sid_generation()
|
||||||
|
|
||||||
cls.child_ad = cls.ad_subdomains[0]
|
cls.child_ad = cls.ad_subdomains[0] # pylint: disable=no-member
|
||||||
cls.ad_subdomain = cls.child_ad.domain.name
|
cls.ad_subdomain = cls.child_ad.domain.name
|
||||||
cls.tree_ad = cls.ad_treedomains[0]
|
cls.tree_ad = cls.ad_treedomains[0] # pylint: disable=no-member
|
||||||
cls.ad_treedomain = cls.tree_ad.domain.name
|
cls.ad_treedomain = cls.tree_ad.domain.name
|
||||||
|
|
||||||
cls.configure_dns_and_time()
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def install_adtrust(cls):
|
|
||||||
"""Test adtrust support installation"""
|
|
||||||
|
|
||||||
tasks.install_adtrust(cls.master)
|
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def check_sid_generation(cls):
|
def check_sid_generation(cls):
|
||||||
"""Test SID generation"""
|
|
||||||
|
|
||||||
command = ['ipa', 'user-show', 'admin', '--all', '--raw']
|
command = ['ipa', 'user-show', 'admin', '--all', '--raw']
|
||||||
|
|
||||||
# TODO: remove duplicate definition and import from common module
|
# TODO: remove duplicate definition and import from common module
|
||||||
@ -74,72 +50,52 @@ class ADTrustBase(IntegrationTest):
|
|||||||
tasks.run_repeatedly(cls.master, command,
|
tasks.run_repeatedly(cls.master, command,
|
||||||
test=lambda x: re.search(stdout_re, x))
|
test=lambda x: re.search(stdout_re, x))
|
||||||
|
|
||||||
@classmethod
|
def configure_dns_and_time(self, ad_host):
|
||||||
def configure_dns_and_time(cls):
|
tasks.configure_dns_for_trust(self.master, ad_host)
|
||||||
tasks.configure_dns_for_trust(cls.master, cls.ad)
|
tasks.sync_time(self.master, ad_host)
|
||||||
tasks.sync_time(cls.master, cls.ad)
|
|
||||||
|
|
||||||
def test_establish_trust(self):
|
def check_trustdomains(self, realm, expected_ad_domains):
|
||||||
"""Tests establishing trust with Active Directory"""
|
"""Check that ipa trustdomain-find lists all expected domains"""
|
||||||
|
result = self.master.run_command(['ipa', 'trustdomain-find', realm])
|
||||||
|
for domain in expected_ad_domains:
|
||||||
|
expected_text = 'Domain name: %s\n' % domain
|
||||||
|
assert expected_text in result.stdout_text
|
||||||
|
expected_text = ("Number of entries returned %s\n" %
|
||||||
|
len(expected_ad_domains))
|
||||||
|
assert expected_text in result.stdout_text
|
||||||
|
|
||||||
tasks.establish_trust_with_ad(self.master, self.ad_domain,
|
def check_range_properties(self, realm, expected_type, expected_size):
|
||||||
extra_args=['--range-type', 'ipa-ad-trust'])
|
|
||||||
|
|
||||||
def test_all_trustdomains_found(self):
|
|
||||||
"""
|
|
||||||
Tests that all trustdomains can be found.
|
|
||||||
"""
|
|
||||||
result = self.master.run_command(['ipa',
|
|
||||||
'trustdomain-find',
|
|
||||||
self.ad_domain])
|
|
||||||
|
|
||||||
# Check that all trustdomains appear in the result
|
|
||||||
assert self.ad_domain in result.stdout_text
|
|
||||||
assert self.ad_subdomain in result.stdout_text
|
|
||||||
assert "Number of entries returned 2" in result.stdout_text
|
|
||||||
|
|
||||||
|
|
||||||
class ADTrustSubdomainBase(ADTrustBase):
|
|
||||||
"""
|
|
||||||
Base class for tests involving subdomains of trusted forests
|
|
||||||
"""
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def configure_dns_and_time(cls):
|
|
||||||
tasks.configure_dns_for_trust(cls.master, cls.child_ad)
|
|
||||||
tasks.sync_time(cls.master, cls.child_ad)
|
|
||||||
|
|
||||||
|
|
||||||
class ADTrustTreedomainBase(ADTrustBase):
|
|
||||||
"""
|
|
||||||
Base class for tests involving tree root domains of trusted forests
|
|
||||||
"""
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def configure_dns_and_time(cls):
|
|
||||||
tasks.configure_dns_for_trust(cls.master, cls.tree_ad)
|
|
||||||
tasks.sync_time(cls.master, cls.tree_ad)
|
|
||||||
|
|
||||||
|
|
||||||
class TestBasicADTrust(ADTrustBase):
|
|
||||||
"""Basic Integration test for Active Directory"""
|
|
||||||
|
|
||||||
def test_range_properties_in_nonposix_trust(self):
|
|
||||||
"""Check the properties of the created range"""
|
"""Check the properties of the created range"""
|
||||||
|
range_name = realm.upper() + '_id_range'
|
||||||
range_name = self.ad_domain.upper() + '_id_range'
|
|
||||||
result = self.master.run_command(['ipa', 'idrange-show', range_name,
|
result = self.master.run_command(['ipa', 'idrange-show', range_name,
|
||||||
'--all', '--raw'])
|
'--all', '--raw'])
|
||||||
|
expected_text = 'ipaidrangesize: %s\n' % expected_size
|
||||||
|
assert expected_text in result.stdout_text
|
||||||
|
expected_text = 'iparangetype: %s\n' % expected_type
|
||||||
|
assert expected_text in result.stdout_text
|
||||||
|
|
||||||
iparangetype_regex = r'ipaRangeType: ipa-ad-trust'
|
def remove_trust(self, ad):
|
||||||
iparangesize_regex = r'ipaIDRangeSize: 200000'
|
tasks.remove_trust_with_ad(self.master, ad.domain.name)
|
||||||
|
tasks.unconfigure_dns_for_trust(self.master, ad)
|
||||||
|
tasks.clear_sssd_cache(self.master)
|
||||||
|
|
||||||
assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE)
|
# Tests for non-posix AD trust
|
||||||
assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE)
|
|
||||||
|
def test_establish_nonposix_trust(self):
|
||||||
|
self.configure_dns_and_time(self.ad)
|
||||||
|
tasks.establish_trust_with_ad(
|
||||||
|
self.master, self.ad_domain,
|
||||||
|
extra_args=['--range-type', 'ipa-ad-trust'])
|
||||||
|
|
||||||
|
def test_trustdomains_found_in_nonposix_trust(self):
|
||||||
|
self.check_trustdomains(
|
||||||
|
self.ad_domain, [self.ad_domain, self.ad_subdomain])
|
||||||
|
|
||||||
|
def test_range_properties_in_nonposix_trust(self):
|
||||||
|
self.check_range_properties(self.ad_domain, 'ipa-ad-trust', 200000)
|
||||||
|
|
||||||
def test_user_gid_uid_resolution_in_nonposix_trust(self):
|
def test_user_gid_uid_resolution_in_nonposix_trust(self):
|
||||||
"""Check that user has SID-generated UID"""
|
"""Check that user has SID-generated UID"""
|
||||||
|
|
||||||
# Using domain name since it is lowercased realm name for AD domains
|
# Using domain name since it is lowercased realm name for AD domains
|
||||||
testuser = 'testuser@%s' % self.ad_domain
|
testuser = 'testuser@%s' % self.ad_domain
|
||||||
result = self.master.run_command(['getent', 'passwd', testuser])
|
result = self.master.run_command(['getent', 'passwd', testuser])
|
||||||
@ -151,9 +107,10 @@ class TestBasicADTrust(ADTrustBase):
|
|||||||
% (re.escape(self.ad_domain),
|
% (re.escape(self.ad_domain),
|
||||||
re.escape(self.ad_domain))
|
re.escape(self.ad_domain))
|
||||||
|
|
||||||
assert re.search(testuser_regex, result.stdout_text)
|
assert re.search(
|
||||||
|
testuser_regex, result.stdout_text), result.stdout_text
|
||||||
|
|
||||||
def test_ipauser_authentication(self):
|
def test_ipauser_authentication_with_nonposix_trust(self):
|
||||||
ipauser = u'tuser'
|
ipauser = u'tuser'
|
||||||
original_passwd = 'Secret123'
|
original_passwd = 'Secret123'
|
||||||
new_passwd = 'userPasswd123'
|
new_passwd = 'userPasswd123'
|
||||||
@ -168,42 +125,61 @@ class TestBasicADTrust(ADTrustBase):
|
|||||||
self.master)
|
self.master)
|
||||||
|
|
||||||
# try to kinit as ipauser
|
# try to kinit as ipauser
|
||||||
self.master.run_command(
|
self.master.run_command([
|
||||||
['kinit', '-E', '{0}@{1}'.format(ipauser,
|
'kinit', '-E', '{0}@{1}'.format(ipauser, self.master.domain.name)],
|
||||||
self.master.domain.name)],
|
|
||||||
stdin_text=new_passwd)
|
stdin_text=new_passwd)
|
||||||
|
|
||||||
def test_remove_nonposix_trust(self):
|
# Tests for UPN suffixes
|
||||||
tasks.remove_trust_with_ad(self.master, self.ad_domain)
|
|
||||||
tasks.clear_sssd_cache(self.master)
|
|
||||||
|
|
||||||
|
def test_upn_in_nonposix_trust(self):
|
||||||
class TestPosixADTrust(ADTrustBase):
|
"""Check that UPN is listed as trust attribute"""
|
||||||
"""Integration test for Active Directory with POSIX support"""
|
result = self.master.run_command(['ipa', 'trust-show', self.ad_domain,
|
||||||
|
|
||||||
def test_establish_trust(self):
|
|
||||||
tasks.establish_trust_with_ad(
|
|
||||||
self.master, self.ad_domain,
|
|
||||||
extra_args=['--range-type', 'ipa-ad-trust-posix']
|
|
||||||
)
|
|
||||||
|
|
||||||
def test_range_properties_in_posix_trust(self):
|
|
||||||
# Check the properties of the created range
|
|
||||||
|
|
||||||
range_name = self.ad_domain.upper() + '_id_range'
|
|
||||||
|
|
||||||
result = self.master.run_command(['ipa', 'idrange-show', range_name,
|
|
||||||
'--all', '--raw'])
|
'--all', '--raw'])
|
||||||
|
|
||||||
# Check the range type and size
|
assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in
|
||||||
iparangetype_regex = r'ipaRangeType: ipa-ad-trust-posix'
|
result.stdout_text)
|
||||||
iparangesize_regex = r'ipaIDRangeSize: 200000'
|
|
||||||
|
|
||||||
assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE)
|
def test_upn_user_resolution_in_nonposix_trust(self):
|
||||||
assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE)
|
"""Check that user with UPN can be resolved"""
|
||||||
|
result = self.master.run_command(['getent', 'passwd',
|
||||||
|
self.upn_principal])
|
||||||
|
|
||||||
|
# result will contain AD domain, not UPN
|
||||||
|
upnuser_regex = (
|
||||||
|
r"^{}@{}:\*:(\d+):(\d+):{}:/home/{}/{}:/bin/sh$".format(
|
||||||
|
self.upn_username, self.ad_domain, self.upn_name,
|
||||||
|
self.ad_domain, self.upn_username)
|
||||||
|
)
|
||||||
|
assert re.search(upnuser_regex, result.stdout_text), result.stdout_text
|
||||||
|
|
||||||
|
def test_upn_user_authentication_in_nonposix_trust(self):
|
||||||
|
""" Check that AD user with UPN can authenticate in IPA """
|
||||||
|
self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
|
||||||
|
stdin_text=self.upn_password)
|
||||||
|
|
||||||
|
def test_remove_nonposix_trust(self):
|
||||||
|
self.remove_trust(self.ad)
|
||||||
|
|
||||||
|
# Tests for posix AD trust
|
||||||
|
|
||||||
|
def test_establish_posix_trust(self):
|
||||||
|
self.configure_dns_and_time(self.ad)
|
||||||
|
tasks.establish_trust_with_ad(
|
||||||
|
self.master, self.ad_domain,
|
||||||
|
extra_args=['--range-type', 'ipa-ad-trust-posix'])
|
||||||
|
|
||||||
|
def test_trustdomains_found_in_posix_trust(self):
|
||||||
|
"""Tests that all trustdomains can be found."""
|
||||||
|
self.check_trustdomains(
|
||||||
|
self.ad_domain, [self.ad_domain, self.ad_subdomain])
|
||||||
|
|
||||||
|
def test_range_properties_in_posix_trust(self):
|
||||||
|
"""Check the properties of the created range"""
|
||||||
|
self.check_range_properties(self.ad_domain, 'ipa-ad-trust-posix',
|
||||||
|
200000)
|
||||||
|
|
||||||
def test_user_uid_gid_resolution_in_posix_trust(self):
|
def test_user_uid_gid_resolution_in_posix_trust(self):
|
||||||
# Check that user has AD-defined UID
|
"""Check that user has AD-defined UID"""
|
||||||
|
|
||||||
# Using domain name since it is lowercased realm name for AD domains
|
# Using domain name since it is lowercased realm name for AD domains
|
||||||
testuser = 'testuser@%s' % self.ad_domain
|
testuser = 'testuser@%s' % self.ad_domain
|
||||||
@ -216,7 +192,7 @@ class TestPosixADTrust(ADTrustBase):
|
|||||||
assert testuser_stdout in result.stdout_text
|
assert testuser_stdout in result.stdout_text
|
||||||
|
|
||||||
def test_user_without_posix_attributes_not_visible(self):
|
def test_user_without_posix_attributes_not_visible(self):
|
||||||
# Check that user has AD-defined UID
|
"""Check that user has AD-defined UID"""
|
||||||
|
|
||||||
# Using domain name since it is lowercased realm name for AD domains
|
# Using domain name since it is lowercased realm name for AD domains
|
||||||
nonposixuser = 'nonposixuser@%s' % self.ad_domain
|
nonposixuser = 'nonposixuser@%s' % self.ad_domain
|
||||||
@ -226,29 +202,10 @@ class TestPosixADTrust(ADTrustBase):
|
|||||||
# Getent exits with 2 for non-existent user
|
# Getent exits with 2 for non-existent user
|
||||||
assert result.returncode == 2
|
assert result.returncode == 2
|
||||||
|
|
||||||
def test_remove_trust_with_posix_attributes(self):
|
def test_remove_posix_trust(self):
|
||||||
tasks.remove_trust_with_ad(self.master, self.ad_domain)
|
self.remove_trust(self.ad)
|
||||||
tasks.clear_sssd_cache(self.master)
|
|
||||||
|
|
||||||
|
# Tests for handling invalid trust types
|
||||||
class TestEnforcedPosixADTrust(TestPosixADTrust):
|
|
||||||
"""
|
|
||||||
This test is intented to copycat PosixADTrust, since enforcing the POSIX
|
|
||||||
trust type should not make a difference.
|
|
||||||
"""
|
|
||||||
"""Re-difene method from test_establish_trust_with_posix_attributes
|
|
||||||
to test_establish_trust. win server 2016 no more have support for MFU/NIS,
|
|
||||||
so autodetection doesn't work"""
|
|
||||||
|
|
||||||
def test_establish_trust(self):
|
|
||||||
tasks.establish_trust_with_ad(self.master, self.ad_domain,
|
|
||||||
extra_args=['--range-type', 'ipa-ad-trust-posix'])
|
|
||||||
|
|
||||||
|
|
||||||
class TestInvalidRangeTypes(ADTrustBase):
|
|
||||||
"""
|
|
||||||
Tests invalid values being put into trust-add command.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def test_invalid_range_types(self):
|
def test_invalid_range_types(self):
|
||||||
|
|
||||||
@ -258,40 +215,38 @@ class TestInvalidRangeTypes(ADTrustBase):
|
|||||||
'random-invalid',
|
'random-invalid',
|
||||||
're@ll%ybad12!']
|
're@ll%ybad12!']
|
||||||
|
|
||||||
for range_type in invalid_range_types:
|
self.configure_dns_and_time(self.ad)
|
||||||
tasks.kinit_admin(self.master)
|
try:
|
||||||
|
for range_type in invalid_range_types:
|
||||||
|
tasks.kinit_admin(self.master)
|
||||||
|
|
||||||
result = self.master.run_command(
|
result = self.master.run_command(
|
||||||
['ipa', 'trust-add', '--type', 'ad', self.ad_domain, '--admin',
|
['ipa', 'trust-add', '--type', 'ad', self.ad_domain,
|
||||||
'Administrator', '--range-type', range_type, '--password'],
|
'--admin', 'Administrator',
|
||||||
raiseonerr=False,
|
'--range-type', range_type, '--password'],
|
||||||
stdin_text=self.master.config.ad_admin_password)
|
raiseonerr=False,
|
||||||
|
stdin_text=self.master.config.ad_admin_password)
|
||||||
|
|
||||||
# The trust-add command is supposed to fail
|
# The trust-add command is supposed to fail
|
||||||
assert result.returncode == 1
|
assert result.returncode == 1
|
||||||
|
assert "ERROR: invalid 'range_type'" in result.stderr_text
|
||||||
|
finally:
|
||||||
|
tasks.unconfigure_dns_for_trust(self.master, self.ad)
|
||||||
|
|
||||||
|
# Tests for external trust with AD subdomain
|
||||||
|
|
||||||
class TestExternalTrustWithSubdomain(ADTrustSubdomainBase):
|
def test_establish_external_subdomain_trust(self):
|
||||||
"""
|
self.configure_dns_and_time(self.child_ad)
|
||||||
Test establishing external trust with subdomain
|
|
||||||
"""
|
|
||||||
|
|
||||||
def test_establish_trust(self):
|
|
||||||
""" Tests establishing external trust with Active Directory """
|
|
||||||
tasks.establish_trust_with_ad(
|
tasks.establish_trust_with_ad(
|
||||||
self.master, self.ad_subdomain,
|
self.master, self.ad_subdomain,
|
||||||
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
|
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
|
||||||
|
|
||||||
def test_all_trustdomains_found(self):
|
def test_trustdomains_found_in_external_subdomain_trust(self):
|
||||||
""" Test that only one trustdomain is found """
|
self.check_trustdomains(
|
||||||
result = self.master.run_command(['ipa', 'trustdomain-find',
|
self.ad_subdomain, [self.ad_subdomain])
|
||||||
self.ad_subdomain])
|
|
||||||
|
|
||||||
assert self.ad_subdomain in result.stdout_text
|
def test_user_gid_uid_resolution_in_external_subdomain_trust(self):
|
||||||
assert "Number of entries returned 1" in result.stdout_text
|
"""Check that user has SID-generated UID"""
|
||||||
|
|
||||||
def test_user_gid_uid_resolution_in_nonposix_trust(self):
|
|
||||||
""" Check that user has SID-generated UID """
|
|
||||||
testuser = 'subdomaintestuser@{0}'.format(self.ad_subdomain)
|
testuser = 'subdomaintestuser@{0}'.format(self.ad_subdomain)
|
||||||
result = self.master.run_command(['getent', 'passwd', testuser])
|
result = self.master.run_command(['getent', 'passwd', testuser])
|
||||||
|
|
||||||
@ -303,62 +258,43 @@ class TestExternalTrustWithSubdomain(ADTrustSubdomainBase):
|
|||||||
|
|
||||||
assert re.search(testuser_regex, result.stdout_text)
|
assert re.search(testuser_regex, result.stdout_text)
|
||||||
|
|
||||||
def test_remove_nonposix_trust(self):
|
def test_remove_external_subdomain_trust(self):
|
||||||
tasks.remove_trust_with_ad(self.master, self.ad_subdomain)
|
self.remove_trust(self.child_ad)
|
||||||
tasks.clear_sssd_cache(self.master)
|
|
||||||
|
|
||||||
|
# Tests for non-external trust with AD subdomain
|
||||||
|
|
||||||
class TestNonexternalTrustWithSubdomain(ADTrustSubdomainBase):
|
def test_establish_nonexternal_subdomain_trust(self):
|
||||||
"""
|
self.configure_dns_and_time(self.child_ad)
|
||||||
Tests that a non-external trust to a subdomain cannot be established
|
try:
|
||||||
"""
|
tasks.kinit_admin(self.master)
|
||||||
def test_establish_trust(self):
|
|
||||||
""" Tests establishing non-external trust with Active Directory """
|
|
||||||
self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
|
|
||||||
'HTTP/%s' % self.master.hostname])
|
|
||||||
self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
|
|
||||||
self.master.run_command(['kdestroy', '-A'])
|
|
||||||
|
|
||||||
tasks.kinit_admin(self.master)
|
result = self.master.run_command([
|
||||||
self.master.run_command(['klist'])
|
'ipa', 'trust-add', '--type', 'ad', self.ad_subdomain,
|
||||||
self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
|
'--admin',
|
||||||
|
'Administrator', '--password', '--range-type', 'ipa-ad-trust'
|
||||||
result = self.master.run_command([
|
|
||||||
'ipa', 'trust-add', '--type', 'ad', self.ad_subdomain, '--admin',
|
|
||||||
'Administrator', '--password', '--range-type', 'ipa-ad-trust'
|
|
||||||
], stdin_text=self.master.config.ad_admin_password,
|
], stdin_text=self.master.config.ad_admin_password,
|
||||||
raiseonerr=False)
|
raiseonerr=False)
|
||||||
|
|
||||||
assert result != 0
|
assert result != 0
|
||||||
assert ("Domain '{0}' is not a root domain".format(
|
assert ("Domain '{0}' is not a root domain".format(
|
||||||
self.ad_subdomain) in result.stderr_text)
|
self.ad_subdomain) in result.stderr_text)
|
||||||
|
finally:
|
||||||
|
tasks.unconfigure_dns_for_trust(self.master, self.child_ad)
|
||||||
|
|
||||||
def test_all_trustdomains_found(self):
|
# Tests for external trust with tree domain
|
||||||
raise unittest.SkipTest(
|
|
||||||
'Test case unapplicable, present for inheritance reason only')
|
|
||||||
|
|
||||||
|
def test_establish_external_treedomain_trust(self):
|
||||||
class TestExternalTrustWithTreedomain(ADTrustTreedomainBase):
|
self.configure_dns_and_time(self.tree_ad)
|
||||||
"""
|
|
||||||
Test establishing external trust with tree root domain
|
|
||||||
"""
|
|
||||||
|
|
||||||
def test_establish_trust(self):
|
|
||||||
""" Tests establishing external trust with Active Directory """
|
|
||||||
tasks.establish_trust_with_ad(
|
tasks.establish_trust_with_ad(
|
||||||
self.master, self.ad_treedomain,
|
self.master, self.ad_treedomain,
|
||||||
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
|
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
|
||||||
|
|
||||||
def test_all_trustdomains_found(self):
|
def test_trustdomains_found_in_external_treedomain_trust(self):
|
||||||
""" Test that only one trustdomain is found """
|
self.check_trustdomains(
|
||||||
result = self.master.run_command(['ipa', 'trustdomain-find',
|
self.ad_treedomain, [self.ad_treedomain])
|
||||||
self.ad_treedomain])
|
|
||||||
|
|
||||||
assert self.ad_treedomain in result.stdout_text
|
def test_user_gid_uid_resolution_in_external_treedomain_trust(self):
|
||||||
assert "Number of entries returned 1" in result.stdout_text
|
"""Check that user has SID-generated UID"""
|
||||||
|
|
||||||
def test_user_gid_uid_resolution_in_nonposix_trust(self):
|
|
||||||
""" Check that user has SID-generated UID """
|
|
||||||
testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
|
testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
|
||||||
result = self.master.run_command(['getent', 'passwd', testuser])
|
result = self.master.run_command(['getent', 'passwd', testuser])
|
||||||
|
|
||||||
@ -368,107 +304,42 @@ class TestExternalTrustWithTreedomain(ADTrustTreedomainBase):
|
|||||||
re.escape(self.ad_treedomain),
|
re.escape(self.ad_treedomain),
|
||||||
re.escape(self.ad_treedomain)))
|
re.escape(self.ad_treedomain)))
|
||||||
|
|
||||||
assert re.search(testuser_regex, result.stdout_text)
|
assert re.search(
|
||||||
|
testuser_regex, result.stdout_text), result.stdout_text
|
||||||
|
|
||||||
def test_remove_nonposix_trust(self):
|
def test_remove_external_treedomain_trust(self):
|
||||||
tasks.remove_trust_with_ad(self.master, self.ad_treedomain)
|
self.remove_trust(self.tree_ad)
|
||||||
tasks.clear_sssd_cache(self.master)
|
|
||||||
|
|
||||||
|
# Test for non-external trust with tree domain
|
||||||
|
|
||||||
class TestNonexternalTrustWithTreedomain(ADTrustTreedomainBase):
|
def test_establish_nonexternal_treedomain_trust(self):
|
||||||
"""
|
self.configure_dns_and_time(self.tree_ad)
|
||||||
Tests that a non-external trust to a tree root domain cannot be established
|
try:
|
||||||
"""
|
tasks.kinit_admin(self.master)
|
||||||
def test_establish_trust(self):
|
|
||||||
""" Tests establishing non-external trust with Active Directory """
|
|
||||||
self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
|
|
||||||
'HTTP/%s' % self.master.hostname])
|
|
||||||
self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
|
|
||||||
self.master.run_command(['kdestroy', '-A'])
|
|
||||||
|
|
||||||
tasks.kinit_admin(self.master)
|
result = self.master.run_command([
|
||||||
self.master.run_command(['klist'])
|
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain,
|
||||||
self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
|
'--admin',
|
||||||
|
'Administrator', '--password', '--range-type', 'ipa-ad-trust'
|
||||||
result = self.master.run_command([
|
|
||||||
'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin',
|
|
||||||
'Administrator', '--password', '--range-type', 'ipa-ad-trust'
|
|
||||||
], stdin_text=self.master.config.ad_admin_password,
|
], stdin_text=self.master.config.ad_admin_password,
|
||||||
raiseonerr=False)
|
raiseonerr=False)
|
||||||
|
|
||||||
assert result != 0
|
assert result != 0
|
||||||
assert ("Domain '{0}' is not a root domain".format(
|
assert ("Domain '{0}' is not a root domain".format(
|
||||||
self.ad_treedomain) in result.stderr_text)
|
self.ad_treedomain) in result.stderr_text)
|
||||||
|
finally:
|
||||||
|
tasks.unconfigure_dns_for_trust(self.master, self.tree_ad)
|
||||||
|
|
||||||
def test_all_trustdomains_found(self):
|
# Tests for external trust with root domain
|
||||||
raise unittest.SkipTest(
|
|
||||||
'Test case unapplicable, present for inheritance reason only')
|
|
||||||
|
|
||||||
|
def test_establish_external_rootdomain_trust(self):
|
||||||
class TestExternalTrustWithRootDomain(ADTrustBase):
|
self.configure_dns_and_time(self.ad)
|
||||||
"""
|
|
||||||
Test establishing external trust with root domain
|
|
||||||
Main purpose of this test is to verify that subdomains are not
|
|
||||||
associated with the external trust, hence all tests are skipped
|
|
||||||
if no subdomain is specified.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def test_establish_trust(self):
|
|
||||||
""" Tests establishing external trust with Active Directory """
|
|
||||||
tasks.establish_trust_with_ad(
|
tasks.establish_trust_with_ad(
|
||||||
self.master, self.ad_domain,
|
self.master, self.ad_domain,
|
||||||
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
|
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
|
||||||
|
|
||||||
def test_all_trustdomains_found(self):
|
def test_trustdomains_found_in_external_rootdomain_trust(self):
|
||||||
""" Test that only one trustdomain is found """
|
self.check_trustdomains(self.ad_domain, [self.ad_domain])
|
||||||
result = self.master.run_command(['ipa', 'trustdomain-find',
|
|
||||||
self.ad_domain])
|
|
||||||
|
|
||||||
assert self.ad_domain in result.stdout_text
|
def test_remove_external_rootdomain_trust(self):
|
||||||
assert "Number of entries returned 1" in result.stdout_text
|
self.remove_trust(self.ad)
|
||||||
|
|
||||||
def test_remove_nonposix_trust(self):
|
|
||||||
tasks.remove_trust_with_ad(self.master, self.ad_domain)
|
|
||||||
tasks.clear_sssd_cache(self.master)
|
|
||||||
|
|
||||||
|
|
||||||
class TestTrustWithUPN(ADTrustBase):
|
|
||||||
"""
|
|
||||||
Test support of UPN for trusted domains
|
|
||||||
"""
|
|
||||||
|
|
||||||
upn_suffix = 'UPNsuffix.com'
|
|
||||||
upn_username = 'upnuser'
|
|
||||||
upn_name = 'UPN User'
|
|
||||||
upn_principal = '{}@{}'.format(upn_username, upn_suffix)
|
|
||||||
upn_password = 'Secret123456'
|
|
||||||
|
|
||||||
def test_upn_in_nonposix_trust(self):
|
|
||||||
""" Check that UPN is listed as trust attribute """
|
|
||||||
result = self.master.run_command(['ipa', 'trust-show', self.ad_domain,
|
|
||||||
'--all', '--raw'])
|
|
||||||
|
|
||||||
assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in
|
|
||||||
result.stdout_text)
|
|
||||||
|
|
||||||
def test_upn_user_resolution_in_nonposix_trust(self):
|
|
||||||
""" Check that user with UPN can be resolved """
|
|
||||||
result = self.master.run_command(['getent', 'passwd',
|
|
||||||
self.upn_principal])
|
|
||||||
|
|
||||||
# result will contain AD domain, not UPN
|
|
||||||
upnuser_regex = (
|
|
||||||
r"^{}@{}:\*:(\d+):(\d+):{}:/home/{}/{}:/bin/sh$".format(
|
|
||||||
self.upn_username, self.ad_domain, self.upn_name,
|
|
||||||
self.ad_domain, self.upn_username)
|
|
||||||
)
|
|
||||||
assert re.search(upnuser_regex, result.stdout_text)
|
|
||||||
|
|
||||||
def test_upn_user_authentication(self):
|
|
||||||
""" Check that AD user with UPN can authenticate in IPA """
|
|
||||||
self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
|
|
||||||
stdin_text=self.upn_password)
|
|
||||||
|
|
||||||
def test_remove_nonposix_trust(self):
|
|
||||||
tasks.remove_trust_with_ad(self.master, self.ad_domain)
|
|
||||||
tasks.clear_sssd_cache(self.master)
|
|
||||||
|
Loading…
Reference in New Issue
Block a user