IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipatests: ipa-adtrust-install command test scenarios

Browse Source 
This patch includes additional testcase that can be run
against ipa-adtrust-install CLI tool.

test_adtrust_install_with_incorrect_netbios_name
test_adtrust_install_as_regular_ipa_user
test_adtrust_install_with_incorrect_admin_password
test_adtrust_install_with_invalid_rid_base_value
test_adtrust_install_with_invalid_secondary_rid_base
test_adtrust_reinstall_updates_ipaNTFlatName_attribute
test_adtrust_install_without_ipa_installed
test_samba_credential_cache_is_removed_post_uninstall
test_adtrust_install_without_integrated_dns
test_adtrust_install_with_debug_option
test_adtrust_install_cli_without_smbpasswd_file
test_adtrust_install_enable_compat
test_adtrust_install_invalid_ipaddress_option
test_syntax_error_in_ipachangeconf
test_unattended_adtrust_install_uses_default_netbios_name
test_smb_not_starting_post_adtrust_install

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Sudhir Menon
2023-03-16 13:00:35 +05:30
committed by Florence Blanc-Renaud
parent a83ae63578
commit dd22bd2528
2 changed files with 603 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
ipatests/pytest_ipa/integration/tasks.py
View File

@@ -2675,26 +2675,35 @@ def get_pki_version(host):
raise ValueError("get_pki_version: pki is not installed") raise ValueError("get_pki_version: pki is not installed")
def get_healthcheck_version(host): def get_package_version(host, pkgname):
""" """
Function to get healthcheck version on fedora and rhel Get package version on remote host
""" """
platform = get_platform(host) platform = get_platform(host)
if platform in ("rhel", "fedora"): if platform in ("rhel", "fedora"):
cmd = host.run_command( cmd = host.run_command(
["rpm", "-qa", "--qf", "%{VERSION}", "*ipa-healthcheck"] ["rpm", "-qa", "--qf", "%{VERSION}", pkgname]
) )
healthcheck_version = cmd.stdout_text get_package_version = cmd.stdout_text
if not healthcheck_version: if not get_package_version:
raise ValueError( raise ValueError(
"get_healthcheck_version: " "get_package_version: "
"ipa-healthcheck package is not installed" "pkgname package is not installed"
) )
else: else:
raise ValueError( raise ValueError(
"get_healthcheck_version: unknown platform %s" % platform "get_package_version: unknown platform %s" % platform
) )
return healthcheck_version return get_package_version
def get_openldap_client_version(host):
"""Get openldap-clients version on remote host"""
return get_package_version(host, 'openldap-clients')
def get_healthcheck_version(host):
return get_package_version(host, '*ipa-healthcheck')
def wait_for_ipa_to_start(host, timeout=60): def wait_for_ipa_to_start(host, timeout=60):

585
ipatests/test_integration/test_adtrust_install.py
View File

@@ -7,12 +7,15 @@
import re import re
import os import os
import textwrap import textwrap
import subprocess
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython.dn import DN from ipapython.dn import DN
from ipatests.pytest_ipa.integration import tasks from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration.base import IntegrationTest
from pkg_resources import parse_version
import pytest
class TestIpaAdTrustInstall(IntegrationTest): class TestIpaAdTrustInstall(IntegrationTest):
topology = 'line' topology = 'line'
@@ -303,3 +306,585 @@ class TestIpaAdTrustInstall(IntegrationTest):
finally: finally:
tasks.kinit_admin(self.master) tasks.kinit_admin(self.master)
self.master.run_command(['ipa', 'user-del', user]) self.master.run_command(['ipa', 'user-del', user])
@pytest.mark.parametrize('netbios_name', ['testrelm', '.TESTRELM',
'Te!5@relm', 'TEST.REALM'])
def test_adtrust_install_with_incorrect_netbios_name(self, netbios_name):
"""
Test that ipa-adtrust-install returns an
error when an incorrect netbios name is provided
"""
msg = (
"ipaserver.install.adtrust: ERROR \n"
"Illegal NetBIOS name [{}].\n\n"
"ipaserver.install.adtrust: ERROR "
"Up to 15 characters and only uppercase "
"ASCII letters, digits and dashes are allowed."
" Empty string is not allowed.\n"
"Aborting installation.\n"
).format(netbios_name)
result = self.master.run_command(
[
"ipa-adtrust-install",
"-a",
self.master.config.admin_password,
"--netbios-name",
netbios_name,
"-U",
],
raiseonerr=False,
)
assert result.returncode != 0
assert msg in result.stderr_text
def test_adtrust_install_with_numerical_netbios_name(self):
"""
Test that ipa-adtrust-install works with numerical
netbios name
"""
netbios_name = '1234567'
msg = (
'NetBIOS domain name will be changed to 1234567'
)
result = self.master.run_command(
[
"ipa-adtrust-install",
"-a",
self.master.config.admin_password,
"--netbios-name",
netbios_name,
"-U",
],
raiseonerr=False,
)
assert msg in result.stdout_text
assert result.returncode == 0
def test_adtrust_install_with_non_ipa_user(self):
"""
Test that ipa-adtrust-install command returns
an error when kinit is done as alias
i.e root which is not an ipa user.
"""
msg = (
'Unrecognized error during check of admin rights: '
'root: user not found'
)
user = 'root'
self.master.run_command(
["kinit", "-E", user],
stdin_text=self.master.config.admin_password
)
result = self.master.run_command(
["ipa-adtrust-install", "-A", user,
"-a", self.master.config.admin_password,
"-U"], raiseonerr=False
)
assert result.returncode != 0
assert msg in result.stderr_text
def test_adtrust_install_as_regular_ipa_user(self):
"""
This testcase checks that when regular ipa user
does kinit and runs the ipa-adtrust-install
command, the command is not run and message
is displayed on the console.
"""
user = "ipauser1"
passwd = "Secret123"
try:
tasks.create_active_user(
self.master,
user,
password=passwd,
first=user,
last=user,
)
tasks.kinit_as_user(self.master, user, passwd)
self.master.run_command(["klist", "-l"])
result = self.master.run_command(
["ipa-adtrust-install", "-A", user,
"-a", passwd, "-U"], raiseonerr=False
)
msg = "Must have administrative privileges to " \
"setup AD trusts on server\n"
assert msg in result.stderr_text
assert result.returncode != 0
finally:
self.master.run_command(["kdestroy", "-A"])
tasks.kinit_admin(self.master)
def test_adtrust_install_as_non_root_user(self):
"""
This testcase checks that when regular
ipa user logins and then runs ipa-adtrust-install
command, the command fails to run
"""
user = "ipauser2"
pwd = "Secret123"
cmd = ["ipa-adtrust-install"]
msg = (
"Must be root to setup AD trusts on server"
)
try:
tasks.create_active_user(self.master, user, pwd)
tasks.run_command_as_user(
self.master, user, cmd
)
except subprocess.CalledProcessError as e:
assert msg in e.stderr
assert e.returncode != 0
else:
pytest.fail(
"Run ipa-adtrust-install as non "
"root user did not return error"
)
def test_adtrust_install_as_admins_group_user(self):
"""
Test to check that ipa-adtrust-install is successfull
when a regular ipa user is part of the admins group
"""
user = "testuser1"
pwd = "Secret123"
tasks.create_active_user(self.master, user, pwd)
tasks.kinit_admin(self.master)
self.master.run_command(
["ipa", "group-add-member", "admins", "--users={}".format(user)]
)
self.master.run_command(["kdestroy", "-A"])
self.master.run_command(
["ipa-adtrust-install", "-A", user,
"-a", pwd, "-U"]
)
def test_adtrust_install_with_incorrect_admin_password(self):
"""
Test to check ipa-adtrust-install with incorrect admin
password
"""
password = "wrong_pwd"
msg = (
"Must have Kerberos credentials to setup AD trusts on server: "
"Major (458752): No credentials were supplied, or the credentials "
"were unavailable or inaccessible, Minor (2529639053): "
"No Kerberos credentials available (default cache: KCM:)\n"
)
self.master.run_command(["kdestroy", "-A"])
result = self.master.run_command(
["ipa-adtrust-install", "-A", "admin", "-a",
password, "-U"], raiseonerr=False
)
assert msg in result.stderr_text
assert result.returncode != 0
def test_adtrust_install_with_invalid_rid_base_value(self):
"""
Test to check adtrust install with invalid rid-base
value
"""
rid_base_value = "103.2"
msg = (
"ipa-adtrust-install: error: option " "--rid-base: "
"invalid integer value: '{}'"
).format(rid_base_value)
result = self.master.run_command(
[
"ipa-adtrust-install",
"-A",
"admin",
"-a",
self.master.config.admin_password,
"--rid-base",
rid_base_value,
"-U",
],
raiseonerr=False,
)
assert msg in result.stderr_text
assert result.returncode != 0
def test_adtrust_install_with_invalid_secondary_rid_base(self):
"""
Test to check adtrust install with invalid secondary rid-base
value
"""
sec_rid_base_value = "103.2"
msg = (
"ipa-adtrust-install: error: option "
"--secondary-rid-base: invalid integer value: '{}'"
).format(sec_rid_base_value)
result = self.master.run_command(
[
"ipa-adtrust-install",
"-A",
"admin",
"-a",
self.master.config.admin_password,
"--secondary-rid-base",
sec_rid_base_value,
"-U",
],
raiseonerr=False,
)
assert msg in result.stderr_text
assert result.returncode != 0
def test_adtrust_reinstall_updates_ipaNTFlatName_attribute(self):
"""
Test checks that reinstalling ipa-adtrust-install with
new netbios name reflects changes in ipaNTFlatName attribute
and ipa trustconfig-show also reflects the same.
"""
netbios_name = "TEST8REALM"
cmd = self.master.run_command(
[
"ipa-adtrust-install",
"-a",
self.master.config.admin_password,
"--netbios-name",
netbios_name,
"-U",
]
)
trust_dn = "cn={},cn=ad,cn=etc,{}".format(
self.master.domain.name, self.master.domain.basedn
)
cmd_args = ["ldapsearch", "-Y", "GSSAPI", "(ipaNTFlatName=*)",
"-s", "base", "-b", trust_dn]
cmd = self.master.run_command(cmd_args)
cmd1 = self.master.run_command(["ipa", "trustconfig-show"])
assert "ipaNTFlatName: {}".format(netbios_name) in cmd.stdout_text
assert "NetBIOS name: {}".format(netbios_name) in cmd1.stdout_text
def test_smb_not_starting_post_adtrust_install(self):
"""
Test checks that winbindd crash doesn't occur
and smb service is running post ipa-adtrust-install.
https://bugzilla.redhat.com/show_bug.cgi?id=991251
"""
samba_msg = (
'Unit smb.service entered failed state'
)
core_dump_msg = (
'dumping core in /var/log/samba/cores/winbindd'
)
smb_cmd = self.master.run_command(
['systemctl', 'status', 'smb']
)
assert smb_cmd.returncode == 0
assert samba_msg not in smb_cmd.stdout_text
winbind_cmd = self.master.run_command(
['systemctl', 'status', 'winbind']
)
assert winbind_cmd.returncode == 0
assert core_dump_msg not in winbind_cmd.stdout_text
def test_samba_credential_cache_is_removed_post_uninstall(self):
"""
Test checks that samba credential cache is removed after
ipa-server is uninstalled.
https://pagure.io/freeipa/issue/3479
"""
self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password, "-U"]
)
assert self.master.transport.file_exists(paths.KRB5CC_SAMBA)
tasks.uninstall_replica(self.master, self.replicas[0])
tasks.uninstall_master(self.master)
assert not self.master.transport.file_exists(paths.KRB5CC_SAMBA)
def test_adtrust_install_without_ipa_installed(self):
"""
Tests checks that ipa-adrust-install warns when
ipa is not installed on the system
"""
msg = (
"IPA is not configured on this system."
)
result = self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password, "-U"], raiseonerr=False)
assert msg in result.stderr_text
assert result.returncode != 0
def test_adtrust_install_without_integrated_dns(self):
"""
Test checks ipa-adtrust-install displays the necessary
service records to be added on a IPA server
without integrated dns setup.
"""
realm = self.master.domain.realm.lower()
hostname = self.master.hostname
msg = (
"Done configuring CIFS.\n"
"DNS management was not enabled at install time.\n"
"Add the following service records to your DNS server "
"for DNS zone {0}: \n"
"_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.{0}. "
"3600 IN SRV 0 100 389 {1}.\n"
"_ldap._tcp.dc._msdcs.{0}. 3600 IN SRV 0 100 389 {1}.\n"
"_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.{0}. "
"3600 IN SRV 0 100 88 {1}.\n"
"_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.{0}. "
"3600 IN SRV 0 100 88 {1}.\n"
"_kerberos._tcp.dc._msdcs.{0}. 3600 IN SRV 0 100 88 {1}.\n"
"_kerberos._udp.dc._msdcs.{0}. 3600 IN SRV 0 100 88 {1}.\n\n"
"================================================================"
"=============\n"
"Setup complete\n\n"
).format(realm, hostname)
result = tasks.install_master(self.master, setup_dns=False)
assert result.returncode == 0
cmd = self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password, "-U"]
)
assert msg in cmd.stdout_text
def test_adtrust_install_with_debug_option(self):
"""
Test checks that ipa-adtrust-install runs with debug option
without any error.
"""
self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password, "-U", "-d"]
)
def test_adtrust_install_cli_without_smbpasswd_file(self):
"""
Test checks that ipa-adtrust-install works fine even
without smbpasswd file
https://pagure.io/freeipa/issue/3181
"""
error_msg = (
"< type 'file' > was not found on this system "
"Please install the 'samba' packages and start "
"the installation again Aborting installation"
)
self.master.run_command(
["mv", "/usr/bin/smbpasswd", "/usr/bin/smbpasswd.old"]
)
cmd = ["ipa-adtrust-install"]
with self.master.spawn_expect(cmd) as e:
e.expect_exact("admin password:")
e.sendline(self.master.config.admin_password)
# WARNING: The smb.conf already exists.
# Running ipa-adtrust-install
# will break your existing samba configuration.
# Do you wish to continue? [no]:
e.expect(
[
"smb\\.conf detected.+Overwrite smb\\.conf\\?",
"smb\\.conf already exists.+Do you wish to continue\\?",
]
)
e.sendline("yes")
e.expect(["Enable trusted domains support in slapi-nis\\?"])
e.sendline("no")
e.expect_exit(ignore_remaining_output=True, timeout=60)
output = e.get_last_output()
assert "Setup complete" in output
assert error_msg not in output
# Rename the smbpasswd file to original
self.master.run_command(
["mv", "/usr/bin/smbpasswd.old", "/usr/bin/smbpasswd"]
)
def test_adtrust_install_enable_compat(self):
"""
Test adtrust_install with enable compat option
"""
self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password,
"--enable-compat", "-U"]
)
conn = self.master.ldap_connect()
entry = conn.get_entry(
DN("cn=users,cn=Schema Compatibility,cn=plugins,cn=config")
)
assert entry.single_value["schema-compat-lookup-nsswitch"] == "user"
def test_adtrust_install_invalid_ipaddress_option(self):
"""
Test ipa-adtrust-install with invalid --ip-address
option
"""
msg = (
'ipa-adtrust-install: error: no such option: --ip-address'
)
result = self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password,
"--ip-address", "-U"], raiseonerr=False
)
assert msg in result.stderr_text
assert result.returncode != 0
def test_syntax_error_in_ipachangeconf(self):
"""
Test checks that ipa-adtrust-install doesn't fail
with 'Syntax Error' when dns_lookup_kdc is set to False
in /etc/krb5.conf
https://pagure.io/freeipa/issue/3132
"""
error_msg = (
'The ipa-adtrust-install command failed, exception: '
'SyntaxError: Syntax Error: Unknown line format'
)
tasks.FileBackup(self.master, paths.KRB5_CONF)
krb5_cfg = self.master.get_file_contents(paths.KRB5_CONF,
encoding='utf-8')
new_krb5_cfg = krb5_cfg.replace(
'dns_lookup_kdc = true', 'dns_lookup_kdc = false'
)
self.master.put_file_contents(paths.KRB5_CONF, new_krb5_cfg)
result = self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password,
"-U"], raiseonerr=False
)
assert error_msg not in result.stderr_text
def test_unattended_adtrust_install_uses_default_netbios_name(self):
"""
ipa-adtrust-install unattended install should use default
netbios name rather than prompting for it.
https://fedorahosted.org/freeipa/ticket/3497
"""
msg = (
'Enter the NetBIOS name for the IPA domain'
'Only up to 15 uppercase ASCII letters and '
'digits are allowed.'
)
result = self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password,
"-U"]
)
assert result.returncode == 0
assert msg not in result.stdout_text
def test_adtrust_install_with_def_rid_base_values(self):
"""
Test that ipa-adtrust-install install is successful
with default rid and secondary values
"""
rid_base = '1000'
sec_rid_base = '100000000'
self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password,
"--rid-base", rid_base,
"--secondary-rid-base", sec_rid_base,
"-U"]
)
def test_ipa_adtrust_install_with_add_agents_option(self):
"""
This testcase checks that ipa-adtrust-install
with --add-agents works without any error
on IPA server
"""
result = self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password,
"--add-agents",
"-U"]
)
assert result.returncode == 0
def test_ipa_adtrust_install_with_add_sids_option(self):
"""
This testcase checks that ipa-adtrust-install
with --add-sids option works without any error
"""
msg = (
'adding SIDs to existing users and groups\n'
'This step may take considerable amount of time, please wait..'
)
result = self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password,
"--add-sids",
"-U"]
)
assert msg in result.stdout_text
def test_cldap_responder_doesnot_hang_for_domain_discovery(self):
"""
This testcase checks that cldap responder doesnot hang
for domain discovery.
https://pagure.io/freeipa/issue/3639
"""
version = tasks.get_openldap_client_version(self.master)
if parse_version(version) >= parse_version('2.6'):
pytest.skip('bz2167328')
base_dn = ""
srch_filter = "(&(DnsDomain={})(NtVer=\\06\\00\\00\\00)" \
"(AAC=\\00\\00\\00\\00))".format(self.master.domain.name)
self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password,
"-U"]
)
result = self.master.run_command(
["ldapsearch", "-LL", "-H",
"cldap://{}".format(self.master.hostname),
"-b", base_dn, "-s", "base", srch_filter]
)
assert result.returncode == 0
assert 'dn:\nnetlogon::' in result.stdout_text
def test_user_connects_smb_share_if_locked_specific_group(self):
"""
Test scenario:
Create a share in the samba server
Access the share as admin, should work
set valid users = admins to limit the share access to
members of the "admins" group
Access the share as admin, should work
https://pagure.io/freeipa/issue/4234
"""
msg = "tree connect failed: NT_STATUS_ACCESS_DENIED"
self.master.run_command(
["ipa-adtrust-install", "-a",
self.master.config.admin_password,
"-U"]
)
self.master.run_command(["mkdir", "/freeipa4234"])
self.master.run_command(
["chcon", "-t", "samba_share_t",
"/freeipa4234"])
self.master.run_command(
["setfacl", "-m", "g:admins:rwx",
"/freeipa4234"])
self.master.run_command(
["net", "conf", "setparm", "share",
"comment", "Test Share"])
self.master.run_command(
["net", "conf", "setparm", "share",
"read only", "no"])
self.master.run_command(
["net", "conf", "setparm", "share",
"path", "/freeipa4234"])
self.master.run_command(["touch", "before"])
self.master.run_command(["touch", "after"])
self.master.run_command(
["smbclient", "--use-kerberos=desired",
"-c=put before", "//{}/share".format(
self.master.hostname)]
)
self.master.run_command(
["net", "conf", "setparm", "share",
"valid users", "@admins"])
result = self.master.run_command(
["smbclient", "--use-kerberos=desired",
"-c=put after", "//{}/share".format(
self.master.hostname)]
)
assert msg not in result.stdout_text