ipatests: add test for ipa-adtrust-install --add-agents

Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try calling the remote method trust_enable_agent with
a principal missing the required privilege.
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).

Thanks to sorlov for the nightly test definitions and new test.

Related: https://pagure.io/freeipa/issue/7600
Co-authored-by: Sergey Orlov <sorlov@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>

ipatests/prci_definitions/gating.yaml

@@ -263,3 +263,14 @@ jobs:
         timeout: 1800
         topology: *master_1repl
 
+  fedora-latest/test_adtrust_install:
+    requires: [fedora-latest/build]
+    priority: 100
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest/build_url}'
+        test_suite: test_integration/test_adtrust_install.py
+        template: *ci-master-latest
+        timeout: 3600
+        topology: *master_1repl

ipatests/prci_definitions/nightly_latest.yaml

@@ -1484,3 +1484,15 @@ jobs:
         template: *ci-master-latest
         timeout: 7200
         topology: *master_1repl
+
+  fedora-latest/test_adtrust_install:
+    requires: [fedora-latest/build]
+    priority: 100
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest/build_url}'
+        test_suite: test_integration/test_adtrust_install.py
+        template: *ci-master-latest
+        timeout: 3600
+        topology: *master_1repl

ipatests/prci_definitions/nightly_latest_testing.yaml

@@ -1587,3 +1587,16 @@ jobs:
         template: *testing-master-latest
         timeout: 7200
         topology: *master_1repl
+
+  testing-fedora/test_adtrust_install:
+    requires: [testing-fedora/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{testing-fedora/build_url}'
+        update_packages: True
+        test_suite: test_integration/test_adtrust_install.py
+        template: *testing-master-latest
+        timeout: 3600
+        topology: *master_1repl

ipatests/prci_definitions/nightly_previous.yaml

@@ -1460,3 +1460,15 @@ jobs:
         template: *ci-master-previous
         timeout: 7200
         topology: *master_1repl
+
+  fedora-previous/test_adtrust_install:
+    requires: [fedora-previous/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-previous/build_url}'
+        test_suite: test_integration/test_adtrust_install.py
+        template: *ci-master-previous
+        timeout: 3600
+        topology: *master_1repl

ipatests/prci_definitions/nightly_rawhide.yaml

@@ -1601,3 +1601,16 @@ jobs:
         template: *ci-master-frawhide
         timeout: 7200
         topology: *master_1repl
+
+  fedora-rawhide/test_adtrust_install:
+    requires: [fedora-rawhide/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-rawhide/build_url}'
+        update_packages: True
+        test_suite: test_integration/test_adtrust_install.py
+        template: *ci-master-frawhide
+        timeout: 3600
+        topology: *master_1repl

ipatests/test_integration/test_adtrust_install.py

@@ -0,0 +1,201 @@
+#
+# Copyright (C) 2020  FreeIPA Contributors see COPYING for license
+#
+
+"""This module provides tests for ipa-adtrust-install utility"""
+
+import re
+import textwrap
+
+from ipaplatform.paths import paths
+from ipapython.dn import DN
+from ipatests.pytest_ipa.integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+
+
+class TestIpaAdTrustInstall(IntegrationTest):
+    topology = 'line'
+    num_replicas = 1
+
+    def unconfigure_replica_as_agent(self, host):
+        """ Remove a replica from the list of agents.
+
+        cn=adtrust agents,cn=sysaccounts,cn=etc,$BASEDN contains a list
+        of members representing the agents. Remove the replica principal
+        from this list.
+        This is a hack allowing to run multiple times
+        ipa-adtrust-install --add-agents
+        (otherwise if the replica is in the list of agents, it won't be seen
+        as a possible agent to be added).
+        """
+        remove_agent_ldif = textwrap.dedent("""
+             dn: cn=adtrust agents,cn=sysaccounts,cn=etc,{base_dn}
+             changetype: modify
+             delete: member
+             member: fqdn={hostname},cn=computers,cn=accounts,{base_dn}
+             """.format(base_dn=host.domain.basedn, hostname=host.hostname))
+        # ok_returncode =16 if the attribute is not present
+        tasks.ldapmodify_dm(self.master, remove_agent_ldif,
+                            ok_returncode=[0, 16])
+
+    def test_samba_config_file(self):
+        """Check that ipa-adtrust-install generates sane smb.conf
+        This is regression test for issue
+        https://pagure.io/freeipa/issue/6951
+        """
+        self.master.run_command(
+            ['ipa-adtrust-install', '-a', self.master.config.admin_password,
+             '--add-sids', '-U'])
+        res = self.master.run_command(['testparm', '-s'])
+        assert 'ERROR' not in (res.stdout_text + res.stderr_text)
+
+    def test_add_agent_not_allowed(self):
+        """Check that add-agents can be run only by Admins."""
+        user = "nonadmin"
+        passwd = "Secret123"
+        host = self.replicas[0].hostname
+        data_fmt = '{{"method":"trust_enable_agent","params":[["{}"],{{}}]}}'
+
+        try:
+            # Create a nonadmin user that will be used by curl
+            tasks.create_active_user(self.master, user, passwd,
+                                     first=user, last=user)
+            tasks.kinit_as_user(self.master, user, passwd)
+            # curl --negotiate -u : is using GSS-API i.e. nonadmin user
+            cmd_args = [
+                paths.BIN_CURL,
+                '-H', 'referer:https://{}/ipa'.format(host),
+                '-H', 'Content-Type:application/json',
+                '-H', 'Accept:applicaton/json',
+                '--negotiate', '-u', ':',
+                '--cacert', paths.IPA_CA_CRT,
+                '-d', data_fmt.format(host),
+                '-X', 'POST', 'https://{}/ipa/json'.format(host)]
+            res = self.master.run_command(cmd_args)
+            expected = 'Insufficient access: not allowed to remotely add agent'
+            assert expected in res.stdout_text
+        finally:
+            tasks.kinit_admin(self.master)
+            self.master.run_command(['ipa', 'user-del', user])
+
+    def test_add_agent_on_stopped_replica(self):
+        """ Check ipa-adtrust-install --add-agents when the replica is stopped.
+
+        Scenario: stop a replica
+        Call ipa-adtrust-install --add-agents and configure the stopped replica
+        as a new agent.
+        The tool must detect that the replica is stopped and warn that
+        a part of the configuration failed.
+
+        Test for https://pagure.io/freeipa/issue/8148
+        """
+        self.unconfigure_replica_as_agent(self.replicas[0])
+        self.replicas[0].run_command(['ipactl', 'stop'])
+
+        cmd_input = (
+            # admin password:
+            self.master.config.admin_password + '\n' +
+            # WARNING: The smb.conf already exists. Running ipa-adtrust-install
+            # will break your existing samba configuration.
+            # Do you wish to continue? [no]:
+            'yes\n'
+            # Enable trusted domains support in slapi-nis? [no]:
+            '\n' +
+            # WARNING: 1 IPA masters are not yet able to serve information
+            # about users from trusted forests.
+            # Installer can add them to the list of IPA masters allowed to
+            # access information about trusts.
+            # If you choose to do so, you also need to restart LDAP service on
+            # those masters.
+            # Refer to ipa-adtrust-install(1) man page for details.
+            # IPA master[replica1.testrelm.test]?[no]:
+            'yes\n'
+        )
+        try:
+            res = self.master.run_command(['ipa-adtrust-install',
+                                           '--add-agents'],
+                                          stdin_text=cmd_input)
+            expected_re = '"ipactl restart".+"systemctl restart sssd"'
+            assert re.search(expected_re, res.stdout_text, re.DOTALL)
+        finally:
+            self.replicas[0].run_command(['ipactl', 'start'])
+
+    def test_add_agent_on_running_replica_without_compat(self):
+        """ Check ipa-adtrust-install --add-agents when the replica is running
+
+        Scenario: replica up and running
+        Call ipa-adtrust-install --add-agents and configure the replica as
+        a new agent.
+        The Schema Compat plugin must be automatically configured on the
+        replica.
+        """
+        self.unconfigure_replica_as_agent(self.replicas[0])
+        cmd_input = (
+            # admin password:
+            self.master.config.admin_password + '\n' +
+            # WARNING: The smb.conf already exists. Running ipa-adtrust-install
+            # will break your existing samba configuration.
+            # Do you wish to continue? [no]:
+            'yes\n'
+            # Enable trusted domains support in slapi-nis? [no]:
+            '\n' +
+            # WARNING: 1 IPA masters are not yet able to serve information
+            # about users from trusted forests.
+            # Installer can add them to the list of IPA masters allowed to
+            # access information about trusts.
+            # If you choose to do so, you also need to restart LDAP service on
+            # those masters.
+            # Refer to ipa-adtrust-install(1) man page for details.
+            # IPA master[replica1.testrelm.test]?[no]:
+            'yes\n'
+        )
+        expected = '"ipactl restart"'
+        res = self.master.run_command(['ipa-adtrust-install', '--add-agents'],
+                                      stdin_text=cmd_input)
+        # The replica must have been restarted automatically, no msg required
+        assert expected not in res.stdout_text
+
+    def test_add_agent_on_running_replica_with_compat(self):
+        """ Check ipa-addtrust-install --add-agents when the replica is running
+
+        Scenario: replica up and running
+        Call ipa-adtrust-install --add-agents --enable-compat and configure
+        the replica as a new agent.
+        The Schema Compat plugin must be automatically configured on the
+        replica.
+        """
+        self.unconfigure_replica_as_agent(self.replicas[0])
+
+        cmd_input = (
+            # admin password:
+            self.master.config.admin_password + '\n' +
+            # WARNING: The smb.conf already exists. Running ipa-adtrust-install
+            # will break your existing samba configuration.
+            # Do you wish to continue? [no]:
+            'yes\n'
+            # Enable trusted domains support in slapi-nis? [no]:
+            'yes\n' +
+            # WARNING: 1 IPA masters are not yet able to serve information
+            # about users from trusted forests.
+            # Installer can add them to the list of IPA masters allowed to
+            # access information about trusts.
+            # If you choose to do so, you also need to restart LDAP service on
+            # those masters.
+            # Refer to ipa-adtrust-install(1) man page for details.
+            # IPA master[replica1.testrelm.test]?[no]:
+            'yes\n'
+        )
+        expected = '"ipactl restart"'
+        res = self.master.run_command(['ipa-adtrust-install', '--add-agents'],
+                                      stdin_text=cmd_input)
+        # The replica must have been restarted automatically, no msg required
+        assert expected not in res.stdout_text
+
+        # Ensure that the schema compat plugin is configured:
+        conn = self.replicas[0].ldap_connect()
+        entry = conn.get_entry(DN(
+            "cn=users,cn=Schema Compatibility,cn=plugins,cn=config"))
+        assert entry.single_value['schema-compat-lookup-nsswitch'] == "user"
+        entry = conn.get_entry(DN(
+            "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config"))
+        assert entry.single_value['schema-compat-lookup-nsswitch'] == "group"

ipatests/test_integration/test_commands.py

@@ -813,17 +813,6 @@ class TestIPACommand(IntegrationTest):
         assert is_tls_version_enabled('tls1_2')
         assert is_tls_version_enabled('tls1_3')
 
-    def test_samba_config_file(self):
-        """Check that ipa-adtrust-install generates sane smb.conf
-
-        This is regression test for issue
-        https://pagure.io/freeipa/issue/6951
-        """
-        self.master.run_command(
-            ['ipa-adtrust-install', '-a', 'Secret123', '--add-sids', '-U'])
-        res = self.master.run_command(['testparm', '-s'])
-        assert 'ERROR' not in (res.stdout_text + res.stderr_text)
-
     @pytest.mark.skip(reason='https://pagure.io/freeipa/issue/8151')
     def test_sss_ssh_authorizedkeys(self):
         """Login via Ssh using private-key for ipa-user should work.