Commit Graph

76 Commits

Author SHA1 Message Date
Armando Neto
0926cb87da ipatests: Improve test_commands reliability
Sometimes ssh command gets stuck, running manually without passing a command
to be executed this is returned:

```
$ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \
  -o StrictHostKeyChecking=no -l testsshuser \
  -i /tmp/tmp.rQIT3KYScX master.ipa.test
Could not chdir to home directory /home/testsshuser: No such file or directory
```

This commit forces the homedir creation and adds a timeout to ssh.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-14 14:19:21 +02:00
Anuja More
836b90f652 ipatests : Login via ssh using private-key for ipa-user should work.
Added test for : https://pagure.io/SSSD/sssd/issue/3937

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-12-06 15:41:09 +01:00
Christian Heimes
639bb71940 Don't hard-code client's TLS versions and ciphers
Client connections no longer override TLS version range and ciphers by
default. Instead clients use the default settings from the system's
crypto policy.

Minimum TLS version is now TLS 1.2. The default crypto policy on
RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as
minimum version. The minimum version is configured with OpenSSL 1.1.1
APIs. Python 3.6 lacks the setters to override the system policy.

The effective minimum version is always TLS 1.2, because FreeIPA
reconfigures Apache HTTPd on Fedora.

Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-12-02 16:48:07 +01:00
Christian Heimes
6a17a91672 Skip paramiko tests in FIPS mode
Paramiko is not compatible with FIPS mode. It uses MD5 on the client
side and does not support rsa-sha2 connections for RSA auth.

See: https://pagure.io/freeipa/issue/8129
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2019-11-29 17:02:16 +01:00
Sergey Orlov
e87357749e
ipatests: add check that ipa-adtrust-install generates sane smb.conf
Related to: https://pagure.io/freeipa/issue/6951

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-11-26 11:14:41 +01:00
Sergey Orlov
14be271533 ipatests: add test to check that only TLS 1.2 is enabled in Apache
Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-01 13:49:09 -04:00
sumenon
b24359cafa Added testcase to check capitalization fix while running ipa user-mod
1. This testcase checks that when ipa user-mod command is run with capital letters
there is no error shown in the console, instead the modifications for first and last
name of  the user is applied.

2. Adding tasks.kinit_admin since the test was being executed as different user
leading to permission issue.
ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter. Check your permissions

Issue: https://pagure.io/freeipa/issue/5879
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-08-29 10:07:32 +02:00
Sumedh Sidhaye
de1fa7cc74 Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf
Problem: After adding ldap_deref_threshold=0 setting for sssd on master for
performance enhancement ssh from ipa client was failing

Test Procedure:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-26 15:18:53 +02:00
Christian Heimes
4b7e81fbbe Replace imports from ipaserver
The ipatests/test_integration/ package only uses ipaserver in a few
places. Copy some simple constants to decouple the packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-16 13:20:38 +02:00
Christian Heimes
3c98187988 Consider configured servers as valid
Under some conditions, ipa config-show and several other commands were
failing with error message:

  ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled

Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.

A new test verifies that config-show works with hidden and configured HTTP
service.

Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.

Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-29 16:51:40 +02:00
Sergey Orlov
24c77bc4f7 ipatests: fix host name for ssh connection from controller to master
Use master.external_hostname instead of master.hostname for ssh connection
from controller machine to master. If hostname and external_hostname in
test_config.yml do no match then trying to establish ssh connection
was failing with "[Errno -2] Name or service not known".

Fixes https://pagure.io/freeipa/issue/7874

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-05 09:25:25 +01:00
Christian Heimes
73bc11a20b Add ldapmodify/search helper functions
Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper
functions.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
1a2ceb1557 Use secure LDAP connection in tests
Integration tests are now using StartTLS with IPA's CA cert instead of
plain text connections.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
965181362a Fix systemd-user HBAC rule
2ef6e14c5a added an invalid HBAC rule that
encoded the service wrongly.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-15 14:29:22 -05:00
Christian Heimes
2ef6e14c5a Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.

Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-11 16:45:05 +01:00
Rob Crittenden
3e8f550c29 Add tests for ipa-cacert-manage install
Some basic tests like re-loading a certificate, loading a
PKCS#7 cert and bad cert handling.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/7579

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-11-13 10:44:14 +01:00
Christian Heimes
8b0f3595fd Allow ipaapi user to access SSSD's info pipe
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.

The commit also fixes two related issues:

* The server upgrade code now enables ifp service in sssd.conf. The
  existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
  unrecognized service.

Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-07 16:28:35 +01:00
Fraser Tweedale
a2ad417490 Fix writing certificate chain to file
An client-side error occurs when cert commands are instructed to
write the certificate chain (--chain option) to a file
(--certificate-out option).  This regression was introduced in the
'cert' plugin in commit 5a44ca6383,
and reflected in the 'ca' plugin in commit
c7064494e5.

The server behaviour did not change; rather the client did not
correctly handle the DER-encoded certificates in the
'certificate_chain' response field.  Fix the issue by treating the
'certificate' field as base-64 encoded DER, and the
'certificate_chain' field as an array of raw DER certificates.

Add tests for checking that the relevant commands succeed and write
PEM data to the file (both with and without --chain).

Fixes: https://pagure.io/freeipa/issue/7700
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-02 10:18:32 +02:00
Michal Reznik
31a92c1677
tests: sssd_ssh fd leaks when user cert converted into SSH key
https://pagure.io/freeipa/issue/7687

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-09-06 13:49:34 +02:00
Michal Reznik
0aeccc0852
ipa_tests: test ssh keys login
Integration test for:

https://pagure.io/SSSD/sssd/issue/3747

IPA ticket: https://pagure.io/freeipa/issue/7664

Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-08-10 17:01:45 +02:00
Florence Blanc-Renaud
c1a0c3c556
Tests: add integration test for password changes by dir mgr
Add a test for issue 7601:
- add a user, perform kinit user to modify the password, read krblastpwdchange
and krbpasswordexpiration.
- perform a ldapmodify on the password as dir mgr
- make sure that krblastpwdchange and krbpasswordexpiration have been modified
- perform the same check with ldappasswd

Related to:
https://pagure.io/freeipa/issue/7601

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-06 16:51:56 +02:00
Christian Heimes
6414509343
Rename pytest_plugins to ipatests.pytest_ipa
pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string
"pytest_plugins" is used as marker to load plugins. By populare vote and
to avoid future conflicts, we decided to rename the directory to pytest_ipa.

Fixes: https://pagure.io/freeipa/issue/7663
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-08-02 17:07:43 +02:00
Armando Neto
717d59e2fe Fix regression: Handle unicode where str is expected
Regression caused by 947ac4bc1f when
trying to fix a similar issue for clients running Python 3. However,
that fix broke Python 2 clients.

Issue: https://pagure.io/freeipa/issue/7626

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-18 09:53:53 +02:00
Christian Heimes
87904b8f6b Fix ipa console filename
THe ipa console command takes an optional filename argument. The
filename argument was broken, because the implementation passed a file
object to exec() instead of a string or compiled object.

ipa console now uses compile() to compile the code with print_function
__future__ feature.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-12 18:19:34 +02:00
Rob Crittenden
f976f6cfd8 Use replace instead of add to set new default ipaSELinuxUserMapOrder
The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.

https://pagure.io/freeipa/issue/6610

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-08 10:49:18 +02:00
Rob Crittenden
7c5ecb8d08 Rename test class for testing simple commands, add test
The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.

Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.

https://pagure.io/freeipa/issue/7561

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:08:21 +02:00