Commit Graph

566 Commits

Author SHA1 Message Date
Stanislav Levin
b2acd65013 Make use of single configuration point for SELinux
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-01 14:44:57 +03:00
Alexander Bokovoy
814592cf22 ipa-client-samba: a tool to configure Samba domain member on IPA client
Introduces new utility to configure Samba on an IPA domain member.

The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.

Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.

Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.

The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Anuja More
986e16dafe ipatests: POSIX attributes are no longer overwritten or missing
Added test which validates that POSIX attributes, such
as shell or home directory, are no longer overwritten or missing.

Related Ticket : https://pagure.io/SSSD/sssd/issue/2474

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-06-28 14:26:20 +02:00
François Cami
694c3667c7 ipatests: add proper timeouts to nfs.py
When tests for https://pagure.io/freeipa/issue/7918 were
written no sleep interval was provided between calls to
ipa-client-automount leading to random test failures.
Add sleep intervals.

Related-to: https://pagure.io/freeipa/issue/7918
Related-to: https://pagure.io/freeipa/issue/7988
Signed-off-by: François Cami fcami@redhat.com
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-26 12:55:06 +02:00
Stanislav Levin
d86b57c057 Make use of the single configuration point for the default shells
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.

The single configuration point for the shell of users and admin is
added to overcome this limitation.

Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-19 11:39:51 +02:00
François Cami
3a233a907a nfs.py: fix user creation
nfs.py calls "ipa user-add" without inputting the password twice
leading to a timeout. Input password twice then.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-19 11:09:53 +10:00
Florence Blanc-Renaud
910ff25bad ipatests: fix TestUserPermissions::test_selinux_user_optimized
This test requires SELinux and fails if selinux is disabled
(because it's calling semanage login -l).

The vagrant images currently in use in the nightly tests
are configured with selinux disabled.  Add skipif marker when
selinux is disabled.

Fixes: https://pagure.io/freeipa/issue/7974
Reviewed-By: François Cami <fcami@redhat.com>
2019-06-13 23:24:01 +02:00
Florence Blanc-Renaud
6ec3c84c0c ipatests: fix test_backup_and_restore.py::TestBackupAndRestore
The test test_backup_and_restore.py::TestBackupAndRestore
test_full_backup_and_restore_with_selinux_booleans_off
requires SELinux to be enabled because it's using
getsebool command.

Skip the test if SELinux is disabled.

Fixes: https://pagure.io/freeipa/issue/7970
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-11 15:40:58 -04:00
Florence Blanc-Renaud
07f7e3eaec
ipatests: fix test_caless.py
Commit e3f3584 introduced an additional prompt in ipa-server-install
"Do you want to configure chrony with NTP server or pool address?".

The test is building a string passed to stdin in interactive mode
but this string has not been updated with the additional answer for
this new question.

This commit answers 'no' to the question and allows to proceed with
the ipa server installation.

Fixes: https://pagure.io/freeipa/issue/7969
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-06-10 12:02:17 +02:00
Kaleemullah Siddiqui
1d03afc908 Tests for autounmembership feature
New feature of autounmembership added in 389-ds-base
https://pagure.io/389-ds-base/issue/50077

Tests for autounmembership feature has been added in
this PR

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-06-06 16:51:55 +02:00
Sergey Orlov
3f02fc945e ipatests: new tests for establishing one-way AD trust with shared secret
Tests added for two scenarios:
1) adding one-way external trust, trust on Windows side is created using
   netdom utility.
2) adding one-way forest trust, trust on Windows side is created using
   powershell bindings to .Net functions
Tests verify that specified trusts can be established, trust domains can
be  fetched and AD user data can be queried by IPA client.

Relates: https://pagure.io/freeipa/issue/6077
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2019-05-29 10:44:41 +03:00
Florence Blanc-Renaud
0b21e2ab9f ipatests: add integration test for ipa-replica-manage list
The command
    ipa-replica-manage list -v <node>
can display:
    last init ended: 1970-01-01 00:00:00+00:00
    last init status: None
when called on a node that never had total update.
The fix for 7716 modifies the command so that it doesn't print
those lines when there is no last init status.

This commit adds a new test checking the output of
ipa-replica-manage list -v <node>.

Related to: https://pagure.io/freeipa/issue/7716

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-28 15:02:49 -04:00
Mohammad Rizwan Yusuf
581b7148f4 Test if ipactl restart restarts the pki-tomcatd
Wrong logic was triggering the start instead of restart
for pki-tomcatd. This test validates that restart
called on pki-tomcat properly.

related ticket : https://pagure.io/freeipa/issue/7927

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-05-28 09:43:40 +02:00
Fraser Tweedale
f9b22283dd add test for external CA key size sanity check
We recently added validation of externally-signed CA certificate to
ensure certificates signed by external CAs with too-small keys
(according to system crypto policy) are rejected.

Add an integration test that attempts to renew with a 1024-bit
external CA, and asserts failure.

Part of: https://pagure.io/freeipa/issue/7761

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 10:04:30 +03:00
Tibor Dudlák
be39d3a99b
ipatests: Add Unattended option to external ca task
After resolving https://pagure.io/freeipa/issue/7930
an unattended option alongsede with -r 'REALM' option
needs to be passed to tasks which lacks ntp options.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-22 18:20:22 +02:00
Florence Blanc-Renaud
4804103315 ipatests: CA renewal must refresh cn=CAcert
Add a test checking that the entry cn=CAcert,cn=ipa,cn=etc,BASEDN
is properly updated when the CA is renewed
The test also checks that the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN properly
contains ipaconfigstring: compatCA
         ipaconfigstring: ipaCA

Related to https://pagure.io/freeipa/issue/7928

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-22 17:53:13 +02:00
Florence Blanc-Renaud
7fe10d9903 ipatests: add integration test checking the files mode
The test runs rpm -V in order to check that the file
permissions are consistent with the expectations set
in the spec file. The file mode, owner and group are
checked.

Related to https://pagure.io/freeipa/issue/7934

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:28:00 +02:00
Christian Heimes
4b7e81fbbe Replace imports from ipaserver
The ipatests/test_integration/ package only uses ipaserver in a few
places. Copy some simple constants to decouple the packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-16 13:20:38 +02:00
Alexander Bokovoy
245a8bcdfe test_legacy_clients: fix class inheritance
Fixes: https://pagure.io/freeipa/issue/7940
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-16 09:51:45 +03:00
François Cami
d76737e4c6 ipatests: add tests for the new NFSv4 domain option of ipa-client-automount
This commit tests the--idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter

Related to: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-06 17:46:19 +02:00
Christian Heimes
3c98187988 Consider configured servers as valid
Under some conditions, ipa config-show and several other commands were
failing with error message:

  ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled

Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.

A new test verifies that config-show works with hidden and configured HTTP
service.

Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.

Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-29 16:51:40 +02:00
Christian Heimes
d7e17655c7 Check for SELinux AVCs after installation
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 09:50:23 +02:00
Sergey Orlov
f5912d0099 ipatests: new tests for ipa-winsync-migrate utility
Fixes https://pagure.io/freeipa/issue/7857

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-25 14:46:11 +02:00
Christian Heimes
74e09087ed Globally disable softhsm2 in p11-kit-proxy
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.

IPA server does neither need nor use SoftHSM2 proxied by p11-kit.

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-25 12:53:08 +02:00
Christian Heimes
dd58a705e5 Fix and extend pki config override test
* override ipa_ca_key_size
* test with SHA512withRSA

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-24 17:08:24 +02:00
Robbie Harwood
5ecede781b Fix unnecessary usrmerge assumptions
On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail,
keyctl, and gzip live in /bin, not /usr/bin.

On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so
this has no effect.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-17 13:56:05 +02:00
François Cami
0ba25c7e68 ipatests: add nfs tests
With the latest NFS changes:
* systemd NFS-related unit files
* configuration from /etc/sysconfig/nfs to /etc/nfs.conf
testing NFS client {manual, ipa-client-automount} configuration
has become paramount.

This extends the existing automount location test and must be
run nightly.

Fixes: https://pagure.io/freeipa/issue/7805
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Peter Cech <pcech@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-16 16:58:54 +02:00
Christian Heimes
45b8cc1d83 Increase default key size for CA to 3072 bits
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.

According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.

Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-16 16:51:40 +02:00
Christian Heimes
80928ba6f5 Use Network Manager to configure resolv.conf
IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL,
NetworkManager is typically maintaining resolv.conf. On reboot or
restart of the service, NM overwrites the custom settings.

On systems with NM enabled, the DNS server installer now drops a config
file into NM's global config directory and delegates resolv.conf to NM.

On systems without NM, fall back to create /etc/resolv.conf directly.

Fixes: https://pagure.io/freeipa/issue/7900
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-04-16 10:45:59 +02:00
Christian Heimes
42efdc7bb1 Add test case for pki config override
Install CA with 4096bit RSA key and SHA-384 signature.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
3c354e74f3 Verify external CA's basic constraint pathlen
IPA no verifies that intermediate certs of external CAs have a basic
constraint path len of at least 1 and increasing.

Fixes: https://pagure.io/freeipa/issue/7877
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-04 10:05:10 +02:00
Sergey Orlov
c819716521 ipatests: refactor test_trust.py
Tests in test_trust.py were organized in ten classes, one for each trust type,
requiring ten cycles of ipaserver installation/uninstallation and the full test
run lasted for about 5500 seconds.
There is no need in reinstallation of ipaserver between establishing different
types of trust.
I moved all tests to sinle class, preserving test logic.

Additional changes:
 * TestEnforcedPosixADTrust was totally removed as it was duplicate of
   TestPosixADTrust
 * code of repeated checks was moved to methods
 * A task was cretated for cleaning up DNS configuration changes made for
   establishing trust

Related to https://pagure.io/freeipa/issue/7889

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-01 10:24:46 -04:00
Sergey Orlov
94a6cb11ea ipatests: adapt test_trust.py for changes in multihost fixture
AD hosts can now be extracted from list in respective class attributes and host
domain names -- from properties provided by multihost plugin (host.domain.name).
Also removed conditional skips of tests when test configuration contains only
part of required AD machines as this feature never worked:
multihost plugin removes all machines from config which are not explicitly
requested.

Related to https://pagure.io/freeipa/issue/7889

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-01 10:24:46 -04:00
Sergey Orlov
35a4642ad0 ipatests: allow AD hosts to be placed in separate domain config objects
Tests for AD trust can use three types (roles) of AD machines:
forest root, subdomain and tree domain.
All those machines were placed in one domain object of multihost configuration,
though they all have different domain names.
This is bad as we can not use domain attributes provided by multihost plugin
like host.domain.name and host.domain.basedn and others and need to reimplement
them, evaluating domain name from host.hostname.
And if we accidently used those properties it would lead to difficult to locate
errors (we would use same domain name for all AD hosts).
I modified multihost fixture function mh() to allow creating several AD domains.
As multihost plugin does not support requesting multiple domains with the same type,
I had to introduce new domain types: AD_SUBDOMAIN and AD_TREEDOMAIN.
Also there was a error in mh() which forced user to provide all three AD
machines when only one was needed (value from test class property num_ad_domains
was applied to subdomains and treedomains requirement).
I changed this behavior and now additional AD machines are specified with
properties num_ad_subdomains and num_ad_treedomains.

Related to https://pagure.io/freeipa/issue/7889

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-01 10:24:46 -04:00
Sergey Orlov
e8955cc796 ipatests: fix expectations of ipa trust-find output for trust with root domain
Test was expecting that when trust is established with forest root, than all
three AD domains should be found when quering trust-find for that domain.
Actually only root domain and its subdomain should be returned, without
the tree domain.

Related to https://pagure.io/freeipa/issue/7889

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-01 10:24:46 -04:00
Sergey Orlov
1d0a612a0f ipatests: in test_trust.py fix parent class
TestExternalTrustWithRootDomain was inherited from ADTrustSubdomainBase
This caused that external trust was checked two times with subdomain
and was not checked with root domain.

Related to https://pagure.io/freeipa/issue/7889

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-01 10:24:46 -04:00
Sergey Orlov
3e01d2619e ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
It was changed in f487233df0
for unknown reason. It did not influence test runs as
configure_dns_for_trust was made no-op in previous commit
1d9e1521c5. As now this commit is reverted,
configure_dns_for_trust is restored, invocation parameters also need to
be changed to initial values.

Related to https://pagure.io/freeipa/issue/7889

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-01 10:24:46 -04:00
Christian Heimes
c3fc551c2a Disable flaky hidden replica backup test
The test case for hidden replica restore is flaky and sometimes fails.
The general issues is covered by upstream bug 7894.

See: https://pagure.io/freeipa/issue/7894
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
2019-04-01 16:10:59 +02:00
Tibor Dudlák
692cbc5d3f
Fix test_ntp_options to use tasks' methods
Use methods:
- tasks.replica_install()
- tasks.client_install()
instead of custom methods.
Move ntp_pool/server to class scope.
Using teardown_method for cleanup.
Edit tasks.client_install to return result of installation.
Refactor install_replica task:
Add promote parameter to install_replica task.
Add ntp_args to install_client call and remove from
replica installation from tasks.install_replica while promoting.
Use case while not promoting has to have user allowed to enroll
a replica and server to contact in case autodiscovery does not work.

Related: https://pagure.io/freeipa/issue/7719
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-03-29 18:56:40 +01:00
Christian Heimes
e04dc9a8e1 Test replica installation from hidden replica
Exercise ipa-replica-install with a hidden replica as source server and
creation of replication agreements between a hidden and an enabled
replica.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
8b1bb211c4 Synchronize hidden state from IPA master role
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
e7e0f190bb Don't allow to hide last server for a role
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
f839d3c916 More test fixes
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
56d97f942b Improve config-show to show hidden servers
config-show only used to show enabled servers. Now also show hidden
servers on separate lines. Additionally include information about
KRA and DNS servers.

The augmented config-show output makes it easier to diagnose a cluster
and simplifies sanity checks.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
99133eb12b Simplify and improve tests
Move tests for DNS and roles into helper methods to make them reusable.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
François Cami
0770d8a004 ipatests: Exercise hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.

Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>
Signed-off-by: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Florence Blanc-Renaud
4e3a64f703 Test: add new tests for ipa-crlgen-manage
Add new integration tests for the new command ipa-crlgen-manage,
and test_cmdline tests.

Related to: https://pagure.io/freeipa/issue/5803

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-03-14 09:39:55 +01:00
François Cami
f2e7c3f68b ipatests: add too-restritive mask tests
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Add two tests that expect an error message at install time to catch
too restrictive masks.

Related to: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-13 16:09:24 +01:00
Sergey Orlov
24c77bc4f7 ipatests: fix host name for ssh connection from controller to master
Use master.external_hostname instead of master.hostname for ssh connection
from controller machine to master. If hostname and external_hostname in
test_config.yml do no match then trying to establish ssh connection
was failing with "[Errno -2] Name or service not known".

Fixes https://pagure.io/freeipa/issue/7874

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-05 09:25:25 +01:00
François Cami
40dd0979a4 ipatests: remove all occurrences of osinfo.version_id
The fix for https://pagure.io/freeipa/issue/7868 introduced
a tuple-based OS version management method (osinfo.version_number)
by Christian Heimes.
Convert all occurrences of osinfo.version_id in ipatests to
osinfo.version_number then remove osinfo.version_id.

Related to: https://pagure.io/freeipa/issue/7873
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-01 08:38:11 +01:00