Exercise ipa-replica-install with a hidden replica as source server and
creation of replication agreements between a hidden and an enabled
replica.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
config-show only used to show enabled servers. Now also show hidden
servers on separate lines. Additionally include information about
KRA and DNS servers.
The augmented config-show output makes it easier to diagnose a cluster
and simplifies sanity checks.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Move tests for DNS and roles into helper methods to make them reusable.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>
Signed-off-by: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Add new integration tests for the new command ipa-crlgen-manage,
and test_cmdline tests.
Related to: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Add two tests that expect an error message at install time to catch
too restrictive masks.
Related to: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Use master.external_hostname instead of master.hostname for ssh connection
from controller machine to master. If hostname and external_hostname in
test_config.yml do no match then trying to establish ssh connection
was failing with "[Errno -2] Name or service not known".
Fixes https://pagure.io/freeipa/issue/7874
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The fix for https://pagure.io/freeipa/issue/7868 introduced
a tuple-based OS version management method (osinfo.version_number)
by Christian Heimes.
Convert all occurrences of osinfo.version_id in ipatests to
osinfo.version_number then remove osinfo.version_id.
Related to: https://pagure.io/freeipa/issue/7873
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a test with the following scenario:
ipa-server-install (with ca and pkinit enabled)
check that pkinit is properly enabled:
ipa-pkinit-manage status must return "enabled"
the KDC cert must be signed by IPA CA
Related to: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami@redhat.com>
The test is performing topology changes on the master, then
waits for replication to replicate the changes and checks
the expected outcome on replica1.
The issue is that wait_for_replication was called on replica1,
but should be called on the master. This method is reliable only
if it is executed on the host where the modification was done.
Fixes https://pagure.io/freeipa/issue/7865
Reviewed-By: François Cami <fcami@redhat.com>
The test TestUserPermissions::test_selinux_user_optimized is
testing the fix for SSSD issue 3819, but the fix is not
available in fedora 28. Hence mark the test as xfail when
executed on fedora <=28 (our nightly tests also run on fed 28).
For full ref: fixed in sssd 1.16.4, Fedora 28 provides
1.16.3-2.fc28 only, while Fedora 29 provides 2.0.0-3.fc29.
related ticket : https://pagure.io/SSSD/sssd/issue/3819
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa users having default semanage context were optimized out.
This test checks if those users are listed.
related ticket : https://pagure.io/SSSD/sssd/issue/3819
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Verify that ipa-server-install with external CA and CA type ms-cs adds
the correct extension to the CSR.
Fixes: https://pagure.io/freeipa/issue/7548
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
389-ds-base has modified one option name in dsctl, and our test
test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall
is still using the old option (--doit) instead of the new one
(--do-it).
Fixes: https://pagure.io/freeipa/issue/7856
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper
functions.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Integration tests are now using StartTLS with IPA's CA cert instead of
plain text connections.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The helper function realm_to_serverid() and realm_to_ldap_uri() are
useful outside the server installation framework. They are now in
ipapython.ipaldap along other helpers for LDAP handling in FreeIPA.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This test checks if issuer DN is updated properly after CA is
renewed back from external-ca to self-signed
related ticket : https://pagure.io/freeipa/issue/7762
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Scenario:
install a replica with DNS, with the replica part of a forward zone.
The replica installation should proceed successfully and avoid
trying to add a DNS record for the replica in the forward zone,
as the forward zone is not managed by IPA DNS.
Test added to nightly definitions.
Related to https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami@redhat.com>
Two tests in test_intgration/test_authselect.py were marked as
skipped in c5cdd5a5f0 due to removing of --no-sssd and --no-ac options.
Tests are not needed any more.
Fixes: https://pagure.io/freeipa/issue/7841
Signed-off-by: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-pkinit-manage enable was failing when run on a replica
without a CA instance.
Add a test with the following scenario:
- install a replica with --no-pkinit
- check that the KDC cert is self signed
- call ipa-pkinit-manage enable
- check that the KDC cert is signed by IPA CA
Related to https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami@redhat.com>
Create and execute the server and client smart card advise scripts.
See: See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test is failing when calling (on the replica)
ipa-replica-manage re-initialize --from <master>
because the tool needs to resolve master.
The test does not set /etc/resolv.conf on the replica, as a
consequence it relies on whatever DNS server is configured in
your test environment prior to launching the test, and makes
the test unreliable.
In PR-CI env, /etc/resolv.conf points to the machine hosting
the replica vm, which is unable to resolve master.ipa.test.
The fix is modifying the replica's /etc/resolv.conf to use the
master as DNS.
Fixes https://pagure.io/freeipa/issue/7778
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_install_dns_on_replica1_and_dnssec_on_master now also enables the
dns servive in the firewall of the master.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The firewall needs to be configured before installing replicas.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_replica_install_after_restore is calling tasks.uninstall_master which
is disabling the firewall services for freeipa. The following ipa-restore
call is not reapplying the firewall settings. Calling tasks.uninstall_master
with clean=False will disable the firewall cleanup.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add several tests to verify new anchor override and general idview
override functionality.
Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In order to work with IPA and Yubikey, libyubikey is required.
Before the fix, if yubikey added without having packages, it used to
result in traceback. Now it the exception is handeled properly.
It needs Yubikey hardware to make command successfull. This test
just check of proper error thrown when hardware is not attached.
related ticket : https://pagure.io/freeipa/issue/6979
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test is using a stale ldap connection to the master
(obtained before calling upgrade, and the upgrade stops
and starts 389-ds, breaking the connection).
The fix re-connects before using the ldap handle.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable
At each step, check that the PKINIT cert is consistent with the
expectations: when pkinit is enabled, the cert is signed by IPA
CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
the cert is self-signed and tracked by 'SelfSign' CA helper.
The new test is added in the nightly definitons.
Related to https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
KRA installtion was failing after ca-agent cert gets renewed.
This test check if the syptoms no longer exists.
related ticket: https://pagure.io/freeipa/issue/7288
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The following tests are added in test_ntp_options.py :: TestNTPoptions
- test_server_and_client_install_without_option_n
- test_server_and_client_install_with_option_n
- test_server_and_client_install_with_multiple_ntp_server
- test_server_replica_and_client_install_with_ntp_pool_and_ntp_server
- test_server_and_client_install_with_mixed_options
- test_two_step_replica_install_using_ntp_options
- test_two_step_replica_install_without_ntp_options
Details in the ticket: https://pagure.io/freeipa/issue/7719
and https://pagure.io/freeipa/issue/7723
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
The tests in this file are calling ipa-[server,replica]-install directly
instead of using methods from tasks. Therefore it is required to enable
or disable the needed firewall services also.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
The dns firewall service needs to be enabled for the servers and replicas
where dns support has not been enabled at install time. Also it is needed
to enable the dns firewall service on the replica for migrating the dns
server to the replica.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Instead of using ip[6]tables commands, use new firewall class to deny
access to TCP and UDP port 88 on external machines using the OUTPUT chain.
The iptables calls in the install method are replaced by a
prepend_passthrough_rules call with the rules defined in the class.
The firewall rules are defined in the class as fw_rules without
--append/-A, --delete/-D, .. First entry of each rule is the chain name,
the argument to add or delete the rule will be added by the used Firewall
method. See firewall.py for more information.
The "iptables -F" call (IPv4 only) in the uninstall method is replaced by
a remove_passthrough_rules call with the rules defined in the class.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Instead of using iptables command, use "unshare --net" for uninstalling
client in the restore_client method.
The uninstall_client method has been extended with the additional argument
unshare (bool) which defaults to False. With unshare set, the call for
"ipa-client-install --uninstall -U" will be used with "unshare --net". The
uninstall command will not have network access.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value
The upgrade should finish successfully and repair
the double-encoded cert.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.
Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691
Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.
https://pagure.io/freeipa/issue/7455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Add a test checking that --password and --admin-password
options are mutually exclusive.
Related to https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes@redhat.com>
