add --skip-overlap-check in case it overlap with an existing zone
or with dnszone outside of IPA.
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Verify that no cruft is left over that will prevent reinstallation
if it is uninstalled.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
tasks.py::ipa_epn would previously fail to invoke ipa-epn with
from_nbdays=0.
Related: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The recently released python-cryptography 3.0 has backward incompatible
changes. One of them [0] breaks FreeIPA self-tests.
Note: this requires python-cryptography 2.7+.
[0] 3b2102af54
Fixes: https://pagure.io/freeipa/issue/8428
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In order to troubleshoot certmonger timeouts, collect the
file /run/ipa/renewal.lock that is used as cross-process lock
by ipa-server-guard.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With new Pytest 6.0 [0]:
> PytestDeprecationWarning are now errors by default.
Following our plan to remove deprecated features with as little disruption as
possible, all warnings of type PytestDeprecationWarning now generate errors
instead of warning messages.
PytestWarnings are no longer marked as the part of public API, but as
internal warnings. It's unsafe to use bare PytestDeprecationWarning,
which is turned into the error on major releases.
[0]: https://github.com/pytest-dev/pytest/releases/tag/6.0.0
Fixes: https://pagure.io/freeipa/issue/8435
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Paramiko is not compatible with FIPS.
A replacement is needed, and since what clients use is "ssh",
create a shim over it so that tests can leverage it.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Bind configuration now includes 2 snippet config files, in
/etc/named/ipa-ext.conf and /etc/named/ipa-options-ext.conf
When a test needs to disable dnssec-validation, it needs to edit
the snippet ipa-options-ext.conf instead of /etc/named.conf.
This commit fixes the method tasks.disable_dnssec_validation so that it
correctly updates the snippet.
Fixes: https://pagure.io/freeipa/issue/8364
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Test sending a default template email to the smtp_admin user.
Test that --mail-test and --dry-run cannot be used together.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Initial test suite for EPN.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails when resetting a user's password using kinit in create_active_user.
Add krb5_trace (default: False) to create_active_user and kinit_as_user.
Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
cifs/... principal on SMB server side has NetBIOS name of the SMB server
as its alias. Test that we can actually initialize credentials using
this alias. We don't need to use it anywhere in Samba, just verify that
alias works.
Related: https://pagure.io/freeipa/issue/8291
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Each integration test entity sets up its own list of logfiles.
This is made by calling the callback of host's 'collect_log',
which knows nothing about the context of execution: whether it's
the test class scope or the test method one. Of course, in this
case one-time collection of test method log is not supported
because the logs tracker collects only test class logs.
In the meantime, almost all the entities (except 'client')
collect identical logs. Besides, due to the IPA roles
transformation an each IPA host can become master, replica or
client, all of these, in turn, can have subroles. So, the
most common case is the collection of all the possible logs from
all the IPA (Unix) hosts. However, the customization of a logfiles
collection is possible.
The collection is performed with the help of 'integration_logs'
fixture. For example, to add a logfile to list of logs on a test
completion one should add the dependency on this fixture and call
its 'collect_method_log' method.
```
class TestFoo(IntegrationTest):
def test_foo(self):
pass
def test_bar(self, integration_logs):
integration_logs.collect_method_log(self.master, '/logfile')
```
Collected logs:
1) 'test_foo' - default logs
2) 'test_bar' - default logs + /logfile
3) 'TestFoo' - default logs
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The last usage of 'collect_logs' decorator has been removed
in 1d70ce850e. So, it could be safely removed.
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Since the required Pytest is 3.9.1+, old Pytest compat code can
be removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The FreeIPA integration tests strictly require Firewalld.
But not all the distros have such or any other high-level tool
for managing a firewall. Thus, to run integration tests on such systems
NoOpFirewall class has been added, which provides no-op firewalld
commands.
Fixes: https://pagure.io/freeipa/issue/8261
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
* tasks had an ipa_backup() method that was not used anywhere.
* test_backup_and_restore had a backup() method that used to return
both the path to the backup and the whole result from run_command ;
The path to the backup can be determined from the result.
Clean up:
* move test_backup_and_restore.backup to tasks.ipa_backup, replacing
the unused method.
* add tasks.get_backup_dir(host) which runs ipa-backup on host and
returns the path to the backup directory.
* adjust test_backup_and_restore and test_replica_promotion.
Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This function should be used to conditionally skip tests or
mark them xfail when installed version of sssd does not yet contain
patch for the tested issue.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When a resubmit request is submitted an "invalid cookie"
error message is no longer shown
Earlier an "invlaid cookie" error message was shown when getcert list was called.
The fix allows an empty cookie in dogtag-ipa-ca-renew-agent-submit
Pagure Issue: https://pagure.io/freeipa/issue/8164
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Fixup for test to verify that POLL will not error out on cookie
Author: Rob Crittenden <rcritten@redhat.com>
Date: Tue Mar 24 15:30:38 2020 -0400
Fixed review comments
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is to confirm that the Directory Manager is not affected by
password policy.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Extend ldappasswd_sysaccount_change() helper to allow changing
passwords as a cn=Directory Manager.
Related to: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The pytest_multihost transport does not provide password-based
authentication for OpenSSH transport. The OpenSSH command line tool has
no API to pass in a password securely.
The patch implements a custom transport that uses sshpass hack. It is
not recommended for production but good enough for testing.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The backup/restore tests are calling 'id admin' after restore
to make sure that the user name can be resolved after a restore.
The test should wait for SSSD backend to become online before
doing any check, otherwise there is a risk that the call to
'id admin' fails.
Fixes: https://pagure.io/freeipa/issue/8228
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Moved the method so that it can be used by other modules too
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There are three patterns for editing sssd.conf in tests now:
1. using modify_sssd_conf() which allows to modify only domain sections
2. using remote_ini_file
3. direct file editing using `sed`
This patch introduces new utility function which combines advantages of
first two approaches:
* changes are verified against schema, so that mistakes can be spotted
early
* has convenient interface for simple options modification,
both in domain and service sections
* allows sophisticated modifications through SSSDConfig object
Fixes: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Tests for ipa-restore behaviour when dns or adtrust
rpm is missing which is required during ipa-restore
https://pagure.io/freeipa/issue/7630
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Pylint is a static analysis tool and therefore, couldn't always
analyze dynamic stuff properly. Transformation plugins is a way
to teach Pylint how to handle such cases.
Particularly, with the help of FreeIPA own plugin, it is possible
to tell Pylint about instance fields having a duck-typing nature.
A drawback exposed here is that a static view (Pylint's) of code
should be consistent with an actual one, otherwise, codebase will
be polluted with various skips of pylint checks.
* added missing fields to ipatests.test_integration.base.IntegrationTest
* an attempt is made to clear `no-member` skips for ipatests
* removed no longer needed `pytest` module transformation
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This Pytest plugin is intended to issue warnings on collecting
tests, which employ unittest/nose frameworks or xunit style.
For example, this may look like:
"""
test_a/test_xunit.py:25
test_a/test_xunit.py:25: PytestDeprecationWarning: xunit style is deprecated
def test_foo_bar(self):
test_b/test_unittest.py:7
test_b/test_unittest.py:7: PytestDeprecationWarning: unittest is deprecated
def test_foo_bar(self):
"""
To treat these warnings as errors it's enough to run Pytest with:
-W error:'xunit style is deprecated':pytest.PytestDeprecationWarning
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The method modify_sssd_conf() is copying a remote sssd.conf file
to the test controller then uses sssd python API to modify the
config file.
When the test controller does not have sssd-common package installed,
SSSDConfig() call fails because the API needs sssd schema in order
to properly parse the config file, and the schema files are provided
by sssd-common pkg.
The fix also downloads the files representing sssd schema and calls
SSSDConfig() with those files. Using the schema from the test machine
is ensuring that config is consistent with the schema (if the sssd
version differs between controller and test machine for instance).
Note: we currently don't see any issue in the nightly tests because
the test controller is installed with sssd-common package but if you
run the tests as specified in https://www.freeipa.org/page/Testing
with a controller missing sssd-common, you will see the issue.
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.
Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Test on replica for ipa-ca-install with options
--no-host-dns,--skip-schema-check,done changes in
ipatests/pytest_ipa/integration/tasks.py because
wants to pass few arguments to install_ca method
Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Enhance the assert_error subroutine to provide regular expression
matching against the command's stderr output, in additional to
substring match.
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Added test which checks that no look up should
be added in data provider when users are added in
filter_users for doamin provider.
Related Ticket:
https://pagure.io/SSSD/sssd/issue/3978
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Sometimes ssh command gets stuck, running manually without passing a command
to be executed this is returned:
```
$ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \
-o StrictHostKeyChecking=no -l testsshuser \
-i /tmp/tmp.rQIT3KYScX master.ipa.test
Could not chdir to home directory /home/testsshuser: No such file or directory
```
This commit forces the homedir creation and adds a timeout to ssh.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When a system is in FIPS mode, SSHd can prints some noise to stderr:
FIPS mode initialized\r\n
This noise causes interference and breakage of some tests. Remove the
noise from stderr_bytes, which automatically fixes stderr_text, too.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Based on userspace FIPS mode by Ondrej Moris.
Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.
Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* `cp` now preserves all attributes of original file, there is no reason
to select only some of them
* backup is now restored with `mv` instead of `cp` to avoid leaving junk
Related to: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Function create_temp_file was returning unprocessed output of mktemp
command, which contains a trailing newline. Callers which tryed to write
to the temp file were creating a new one instead.
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.
list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)
list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel
Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The tests are failing to establish trust with AD subdomain and tree domain
controllers. This happens because IPA server needs to contact root domain
controller to fetch domain-wide UPN suffixes but can not do it because we
setup DNS forwarding only for the domains with which we try to establish
trust.
To establish trust with AD subdomain we now setup forwarder for root AD
domain, and to establish trust with AD treedomain -- two forwarders:
one for root domain and another one for treedomain.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In test_integration, enable 389-ds audit log and auditfail log by setting
nsslapd-auditlog-logging-enabled: on
nsslapd-auditfaillog-logging-enabled: on
and collect the generated audit file. This will help troubleshoot failures
related to DS.
Fixes: https://pagure.io/freeipa/issue/8064
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Added utilities for working with remote hosts
* backup and restore files
* modify .ini files
* check if selinux is enabled
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add interactive configuration tests for
ipa-server-install and ipa-client-install
FreeIPA server as it is now is unable to
configure NTP interactively for replica
installations.
Resolves: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
config_replica_resolvconf_with_master_data() is not replica specific.
Rename to config_host_resolvconf_with_master_data() as it is not tied
to any role (master, replica, client).
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The unit tests execution time within Azure Pipelines(AP) is not
balanced. One test job(Base) takes ~13min, while another(XMLRPC)
~28min. Fortunately, AP supports slicing:
> An agent job can be used to run a suite of tests in parallel. For
example, you can run a large suite of 1000 tests on a single agent.
Or, you can use two agents and run 500 tests on each one in parallel.
To leverage slicing, the tasks in the job should be smart enough to
understand the slice they belong to.
>The step that runs the tests in a job needs to know which test slice
should be run. The variables System.JobPositionInPhase and
System.TotalJobsInPhase can be used for this purpose.
Thus, to support this pytest should know how to split the test suite
into groups(slices). For this, a new internal pytest plugin was added.
About plugin.
- Tests within a slice are grouped by test modules because not all of
the tests within the module are independent from each other.
- Slices are balanced by the number of tests within test module.
- To run some module within its own environment there is a dedicated
slice option (could help with extremely slow tests)
Examples.
- To split `test_cmdline` tests into 2 slices and run the first one:
ipa-run-tests --slices=2 --slice-num=1 test_cmdline
- To split tests into 2 slices, then to move one module out to its own slice
and run the second one:
ipa-run-tests --slices=2 --slice-dedicated=test_cmdline/test_cli.py \
--slice-num=2 test_cmdline
Fixes: https://pagure.io/freeipa/issue/8008
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Establishing trust with partially unavailable AD hosts require usage
of --server option. The new test checks that both commands trust-add
and trust-fetch-domains properly use this option and also that
trust-add correctly passes the server value when imlicitly invoking
trust-fetch-domains.
Relates to: https://pagure.io/freeipa/issue/7895.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
The systemd unit name of `named`(which is actually used) is platform-dependent:
debian - bind9-pkcs11.service
fedora - named-pkcs11.service
redhat - named-pkcs11.service
Other systems may have their own name of `bind` service.
But the default one (`named-pkcs11`) is assumed in many tests.
Of course, these tests fail on such platforms.
This can be easily fixed.
All platforms define well-knownservice `named`, which is linked to
the actually utilized one.
Fixes: https://pagure.io/freeipa/issue/7990
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The Host.ldap_connect() method uses LDAPClient from ipapython package.
In a3934a21 we started to use secure connection from tests controller to
ipa server. And also 5be9341f changed the LDAPClient.simple_bind method
to forbid password based authentiction over insecure connection.
This makes it imposible to establish ldap connection in some test
configurations where hostnames known to ipa server do not match ones known
to tests controller (i.e. when host.hostname != host.external_hostname)
because TLS certificate is issued for host.hostname and test controller
tries to verify it against host.external_hostname.
A sublass of LDAPClient is provided which allows to skip certificate check.
Fixes: https://pagure.io/freeipa/issue/7960
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Tests added for two scenarios:
1) adding one-way external trust, trust on Windows side is created using
netdom utility.
2) adding one-way forest trust, trust on Windows side is created using
powershell bindings to .Net functions
Tests verify that specified trusts can be established, trust domains can
be fetched and AD user data can be queried by IPA client.
Relates: https://pagure.io/freeipa/issue/6077
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
We recently added validation of externally-signed CA certificate to
ensure certificates signed by external CAs with too-small keys
(according to system crypto policy) are rejected.
Add an integration test that attempts to renew with a 1024-bit
external CA, and asserts failure.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Order of master/replica was incorect which has been
corrected
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The modern PKCS#8 private key format supports better encryption standard
and is preferable over traditional, weak PKCS#1 key format.
Fixes: https://pagure.io/freeipa/issue/7943
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.
According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.
Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA no verifies that intermediate certs of external CAs have a basic
constraint path len of at least 1 and increasing.
Fixes: https://pagure.io/freeipa/issue/7877
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Tests in test_trust.py were organized in ten classes, one for each trust type,
requiring ten cycles of ipaserver installation/uninstallation and the full test
run lasted for about 5500 seconds.
There is no need in reinstallation of ipaserver between establishing different
types of trust.
I moved all tests to sinle class, preserving test logic.
Additional changes:
* TestEnforcedPosixADTrust was totally removed as it was duplicate of
TestPosixADTrust
* code of repeated checks was moved to methods
* A task was cretated for cleaning up DNS configuration changes made for
establishing trust
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Tests for AD trust can use three types (roles) of AD machines:
forest root, subdomain and tree domain.
All those machines were placed in one domain object of multihost configuration,
though they all have different domain names.
This is bad as we can not use domain attributes provided by multihost plugin
like host.domain.name and host.domain.basedn and others and need to reimplement
them, evaluating domain name from host.hostname.
And if we accidently used those properties it would lead to difficult to locate
errors (we would use same domain name for all AD hosts).
I modified multihost fixture function mh() to allow creating several AD domains.
As multihost plugin does not support requesting multiple domains with the same type,
I had to introduce new domain types: AD_SUBDOMAIN and AD_TREEDOMAIN.
Also there was a error in mh() which forced user to provide all three AD
machines when only one was needed (value from test class property num_ad_domains
was applied to subdomains and treedomains requirement).
I changed this behavior and now additional AD machines are specified with
properties num_ad_subdomains and num_ad_treedomains.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When synchronizing time with windows server using chronyd I often see
error "No suitable source for synchronisation". This happens because chronyd
with default options refuses to use time servers with big jitter and delay.
For some reasons Windows time server does have big jitter. In some test setups
delay also can be rathe big.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Before establishing trust with AD it is recommended in documentation
(and for many setups necessary) to create add DNS forwarder for AD domain.
Bind config supplied by ipa server has dnssec validation enabled.
If Windows server DNS does not have DNSSEC enabled with valid certificate,
then bind will not be able to use it as forwarder and trust will not be
established.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit 1d9e1521c5.
The reverted commit message states:
"Since DNS configuration is no longer needed for running trust tests,
this method's contents are removed."
In fact tests can run without DNS configuration only in case if test setup
has a DNS server with DNSSEC support and there are A records for Windows
machines and SRV records Windows AD services and this DNS server is used
as forwarder by bind. If one of these in not true
then tests fail when trying to establish trust (ipa trust-add) as --server
option is not used and ipa can not find the AD machine. If we specify
--server option and add Windows hosts to /etc/hosts, then trust will be
established, but then sssd will fail to find the host to talk for getting users
from AD. So for general case we should setup DNS forwarders prior to
establishing trust, as stated in
https://www.freeipa.org/page/Active_Directory_trust_setup
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use methods:
- tasks.replica_install()
- tasks.client_install()
instead of custom methods.
Move ntp_pool/server to class scope.
Using teardown_method for cleanup.
Edit tasks.client_install to return result of installation.
Refactor install_replica task:
Add promote parameter to install_replica task.
Add ntp_args to install_client call and remove from
replica installation from tasks.install_replica while promoting.
Use case while not promoting has to have user allowed to enroll
a replica and server to contact in case autodiscovery does not work.
Related: https://pagure.io/freeipa/issue/7719
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Exercise ipa-replica-install with a hidden replica as source server and
creation of replication agreements between a hidden and an enabled
replica.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper
functions.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Integration tests are now using StartTLS with IPA's CA cert instead of
plain text connections.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors
like LDAPClient.from_realm().
Some places now use LDAPI with external bind instead of LDAP with simple
bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is
no hard guarantee. The draft
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1
specifies that applications must verify that the resulting IP is a
loopback API. LDAPI is always local and a bit more efficient, too.
The simple_bind() method also prevents the caller from sending a
password over an insecure line.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Manual revert of bbac233b5e
The assumption was that ldap.conf was hosed and it couldn't
tell what hostname to use so one was hardcoded. This code
doesn't explicitly test that ldap.conf is sane but it is
a nice side-effect I suppose.
https://pagure.io/freeipa/issue/5880
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
master.external_hostname was used to construct ldap url
which caused ldappasswd utility to exit with error due to host name
mismatch in client certificate. master.hostname should be used instead
as this name is used to generate certificate.
Fixes https://pagure.io/freeipa/issue/7844
Signed-off-by: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
mh.install() is the default multi host installer. Most integration test
classes use it to install master, replicas, and clients. In case of a
failed installation, the test collector step is skipped.
Guard log collection with a try/finally block so logs are always
collected.
Also collect journald output for mh.install() steps. The journal output
was missing from installation logs and were only available in each test
step.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
pytest_multihost's run_command() does not log stderr when a command
fails. Wrap the function call to log stderr so it's easier to debug
failing tests.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test is failing when calling (on the replica)
ipa-replica-manage re-initialize --from <master>
because the tool needs to resolve master.
The test does not set /etc/resolv.conf on the replica, as a
consequence it relies on whatever DNS server is configured in
your test environment prior to launching the test, and makes
the test unreliable.
In PR-CI env, /etc/resolv.conf points to the machine hosting
the replica vm, which is unable to resolve master.ipa.test.
The fix is modifying the replica's /etc/resolv.conf to use the
master as DNS.
Fixes https://pagure.io/freeipa/issue/7778
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This fix will make sure that the firewall services are only cleaned up if
the clean flag is True for example for backup and restore tests where the
clean flag is set to False for the server uninstall.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add several tests to verify new anchor override and general idview
override functionality.
Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
install_master: Enable firewall services freeipa-ldap and freeipa-ldaps by
default, enable dns if setup_dns is set and enable freeipa-trust if
setup_adtrust is set. The services are enabled after the master has been
successfully installed.
install_replica: Enable firewall services freeipa-ldap and freeipa-ldaps
by default, enable dns if setup_dns is set and enable freeipa-trust if
setup_adtrust is set. The services are enabled before the replica gets
installed and disabled if the installation failed.
install_adtrust: Enable firewall service freeipa-trust after
ipa-adtrust-install has been called.
uninstall_master: Disable services freeipa-ldap, freeipa-ldaps,
freeipa-trust and dns after ipa-server-install --uninstall -U has been
called.
install_dns: Enable firewall service dns after ipa-dns-install has been
called.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
The new Firewall class provides methods to enable and disable a service,
service lists and also methods to apply a passthrough rule, also to add,
prepend and also remove a list of passthrough rules:
class Firewall
__init__(host)
Initialize with host where firewall changes should be applied
Unmasks, enables and starts firewalld
enable_service(service)
Enable firewall service in firewalld runtime and permanent
environment
disable_service(service)
Disable firewall service in firewalld runtime and permanent
environment
enable_services(services)
Enable list of firewall services in firewalld runtime and
permanent environment
disable_services(services)
Disable list of firewall services in firewalld runtime and
permanent environment
passthrough_rule(rule, ipv=None)
Generic method to get direct passthrough rules to firewalld
rule is an ip[6]tables rule without using the ip[6]tables command.
The rule will per default be added to the IPv4 and IPv6 firewall.
If there are IP version specific parts in the rule, please make
sure that ipv is set properly.
The rule is added to the direct sub chain of the chain that is
used in the rule
add_passthrough_rules(rules, ipv=None)
Add passthough rules to the end of the chain
rules is a list of ip[6]tables rules, where the first entry of each
rule is the chain. No --append/-A, --delete/-D should be added
before the chain name, beacuse these are added by the method.
If there are IP version specific parts in the rule, please make
sure that ipv is set to either ipv4 or ipv6.
prepend_passthrough_rules(rules, ipv=None)
Insert passthough rules starting at position 1 as a block
rules is a list of ip[6]tables rules, where the first entry of each
rule is the chain. No --append/-A, --delete/-D should be added
before the chain name, beacuse these are added by the method.
If there are IP version specific parts in the rule, please make
sure that ipv is set to either ipv4 or ipv6.
remove_passthrough_rules(rules, ipv=None)
Remove passthrough rules
rules is a list of ip[6]tables rules, where the first entry of each
rule is the chain. No --append/-A, --delete/-D should be added
before the chain name, beacuse these are added by the method.
If there are IP version specific parts in the rule, please make
sure that ipv is set to either ipv4 or ipv6.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
kadmin.service is still failing to start sometimes. List and check both
source and destination ports of listening and non-listening TCP and UDP
sockets.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.
Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.
https://pagure.io/freeipa/issue/7455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
test_topology.py is failing because of a wrong scenario.
Currently, test_replica_uninstall_deletes_ruvs does:
- install master + replica with CA
- ipa-replica-manage list-ruv to check that the repl is
propery setup
- ipa-replica-manage del $replica
- (on replica) ipa-server-install --uninstall -U
- ipa-replica-manage list-ruv to check that replica
does not appear any more in the RUV list
When ipa-replica-manage del is run, the topology plugin
creates 2 tasks cleanallruvs (one for the domain, one for the ca)
and they are run asynchronously. This means that the ruvs may
still be present when the test moves forward and calls list-ruv.
The test should wait for the cleanallruvs tasks to finish before
checking that list-ruv does not display replica anymore.
Fixes https://pagure.io/freeipa/issue/7545
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Every now and then, a PR-CI job fails because rpcbind blocks the kadmin
port 749/UDP and kadmin.service fails to start. When NFS secure port is
configured, rpcbind reserves a random low port.
A new workaround detects the blocked port and restarts rpcbind.service.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When running the integration tests capture the uninstallation
logs as well as the installation logs.
Reviewed-By: Christian Heimes <cheimes@redhat.com>