mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
ipatests/test_integration/test_forced_client_reenrollment.py: Use unshare
Instead of using iptables command, use "unshare --net" for uninstalling client in the restore_client method. The uninstall_client method has been extended with the additional argument unshare (bool) which defaults to False. With unshare set, the call for "ipa-client-install --uninstall -U" will be used with "unshare --net". The uninstall command will not have network access. See: https://pagure.io/freeipa/issue/7755 Signed-off-by: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Armando Neto <abiagion@redhat.com>
This commit is contained in:
parent
e3d134e66f
commit
d427e4b2ba
@ -173,33 +173,36 @@ class TestForcedClientReenrollment(IntegrationTest):
|
||||
self.clients[0].run_command(['touch', CLIENT_KEYTAB])
|
||||
self.reenroll_client(force_join=True)
|
||||
|
||||
def uninstall_client(self):
|
||||
def uninstall_client(self, unshare=False):
|
||||
"""Uninstall client
|
||||
Set unshare to unshare the network namespace. This means that the
|
||||
uninstall command will not have network access.
|
||||
"""
|
||||
args = []
|
||||
if unshare:
|
||||
args = ['unshare', '--net']
|
||||
args.extend(['ipa-client-install', '--uninstall', '-U'])
|
||||
self.clients[0].run_command(
|
||||
['ipa-client-install', '--uninstall', '-U'],
|
||||
args,
|
||||
set_env=False,
|
||||
raiseonerr=False
|
||||
)
|
||||
|
||||
def restore_client(self):
|
||||
client = self.clients[0]
|
||||
# As machine-level backup and restore is difficult to automate for
|
||||
# testing purposes, restoring the client from backup can be simulated
|
||||
# by performing the following step:
|
||||
# unshare -n ip ipa-client-install --uninstall -U
|
||||
# Or the following steps:
|
||||
# iptables -A INPUT -j REJECT -p all --source $MASTER_IP
|
||||
# ipa-client-install --uninstall -U
|
||||
# iptables -F
|
||||
# The steps described above will sever communication between server
|
||||
# and client, and then uninstall the client. As a consequence, the
|
||||
# client's host entry will remain on the server, ensuring that the
|
||||
# forced re-enrollment feature works.
|
||||
|
||||
client.run_command([
|
||||
'iptables',
|
||||
'-A', 'INPUT',
|
||||
'-j', 'ACCEPT',
|
||||
'-p', 'tcp',
|
||||
'--dport', '22'
|
||||
])
|
||||
for host in [self.master] + self.replicas:
|
||||
client.run_command([
|
||||
'iptables',
|
||||
'-A', 'INPUT',
|
||||
'-j', 'REJECT',
|
||||
'-p', 'all',
|
||||
'--source', host.ip
|
||||
])
|
||||
self.uninstall_client()
|
||||
client.run_command(['iptables', '-F'])
|
||||
self.uninstall_client(unshare=True)
|
||||
|
||||
def reenroll_client(self, keytab=None, to_replica=False, force_join=False,
|
||||
expect_fail=False):
|
||||
|
Loading…
Reference in New Issue
Block a user