mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-13 09:41:55 -06:00
f976f6cfd8
The add was in effect replacing whatever data was already there causing any custom order to be lost on each run of ipa-server-upgrade. https://pagure.io/freeipa/issue/6610 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
167 lines
5.7 KiB
Python
167 lines
5.7 KiB
Python
#
|
|
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""Misc test for 'ipa' CLI regressions
|
|
"""
|
|
from __future__ import absolute_import
|
|
|
|
import base64
|
|
import ssl
|
|
from tempfile import NamedTemporaryFile
|
|
import textwrap
|
|
|
|
from ipaplatform.paths import paths
|
|
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
from ipatests.pytest_plugins.integration import tasks
|
|
|
|
|
|
class TestIPACommand(IntegrationTest):
|
|
"""
|
|
A lot of commands can be executed against a single IPA installation
|
|
so provide a generic class to execute one-off commands that need to be
|
|
tested without having to fire up a full server to run one command.
|
|
"""
|
|
topology = 'line'
|
|
|
|
def get_cert_base64(self, host, path):
|
|
"""Retrieve cert and return content as single line, base64 encoded
|
|
"""
|
|
cacrt = host.get_file_contents(path, encoding='ascii')
|
|
cader = ssl.PEM_cert_to_DER_cert(cacrt)
|
|
return base64.b64encode(cader).decode('ascii')
|
|
|
|
def test_certmap_match_issue7520(self):
|
|
# https://pagure.io/freeipa/issue/7520
|
|
tasks.kinit_admin(self.master)
|
|
result = self.master.run_command(
|
|
['ipa', 'certmap-match', paths.IPA_CA_CRT],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 1
|
|
assert not result.stderr_text
|
|
assert "0 users matched" in result.stdout_text
|
|
|
|
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
|
|
result = self.master.run_command(
|
|
['ipa', 'certmap-match', '--certificate', cab64],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 1
|
|
assert not result.stderr_text
|
|
assert "0 users matched" in result.stdout_text
|
|
|
|
def test_cert_find_issue7520(self):
|
|
# https://pagure.io/freeipa/issue/7520
|
|
tasks.kinit_admin(self.master)
|
|
subject = 'CN=Certificate Authority,O={}'.format(
|
|
self.master.domain.realm)
|
|
|
|
# by cert file
|
|
result = self.master.run_command(
|
|
['ipa', 'cert-find', '--file', paths.IPA_CA_CRT]
|
|
)
|
|
assert subject in result.stdout_text
|
|
assert '1 certificate matched' in result.stdout_text
|
|
|
|
# by base64 cert
|
|
cab64 = self.get_cert_base64(self.master, paths.IPA_CA_CRT)
|
|
result = self.master.run_command(
|
|
['ipa', 'cert-find', '--certificate', cab64]
|
|
)
|
|
assert subject in result.stdout_text
|
|
assert '1 certificate matched' in result.stdout_text
|
|
|
|
def test_add_permission_failure_issue5923(self):
|
|
# https://pagure.io/freeipa/issue/5923
|
|
# error response used to contain bytes instead of text
|
|
|
|
tasks.kinit_admin(self.master)
|
|
# neither privilege nor permission exists
|
|
result = self.master.run_command(
|
|
["ipa", "privilege-add-permission", "loc",
|
|
"--permission='System: Show IPA Locations"],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 2
|
|
err = result.stderr_text.strip() # pylint: disable=no-member
|
|
assert err == "ipa: ERROR: loc: privilege not found"
|
|
# add privilege
|
|
result = self.master.run_command(
|
|
["ipa", "privilege-add", "loc"],
|
|
)
|
|
assert 'Added privilege "loc"' in result.stdout_text
|
|
# permission is still missing
|
|
result = self.master.run_command(
|
|
["ipa", "privilege-add-permission", "loc",
|
|
"--permission='System: Show IPA Locations"],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 1
|
|
assert "Number of permissions added 0" in result.stdout_text
|
|
|
|
def test_change_sysaccount_password_issue7561(self):
|
|
sysuser = 'system'
|
|
original_passwd = 'Secret123'
|
|
new_passwd = 'userPasswd123'
|
|
|
|
master = self.master
|
|
|
|
base_dn = str(master.domain.basedn) # pylint: disable=no-member
|
|
tf = NamedTemporaryFile()
|
|
ldif_file = tf.name
|
|
entry_ldif = textwrap.dedent("""
|
|
dn: uid=system,cn=sysaccounts,cn=etc,{base_dn}
|
|
changetype: add
|
|
objectclass: account
|
|
objectclass: simplesecurityobject
|
|
uid: system
|
|
userPassword: {original_passwd}
|
|
passwordExpirationTime: 20380119031407Z
|
|
nsIdleTimeout: 0
|
|
""").format(
|
|
base_dn=base_dn,
|
|
original_passwd=original_passwd)
|
|
master.put_file_contents(ldif_file, entry_ldif)
|
|
arg = ['ldapmodify',
|
|
'-h', master.hostname,
|
|
'-p', '389', '-D',
|
|
str(master.config.dirman_dn), # pylint: disable=no-member
|
|
'-w', master.config.dirman_password,
|
|
'-f', ldif_file]
|
|
master.run_command(arg)
|
|
|
|
tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
|
|
new_passwd, master)
|
|
|
|
def test_change_selinuxusermaporder(self):
|
|
"""
|
|
An update file meant to ensure a more sane default was
|
|
overriding any customization done to the order.
|
|
"""
|
|
maporder = "unconfined_u:s0-s0:c0.c1023"
|
|
|
|
# set a new default
|
|
result = self.master.run_command(
|
|
["ipa", "config-mod",
|
|
"--ipaselinuxusermaporder={}".format(maporder)],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 0
|
|
|
|
# apply the update
|
|
result = self.master.run_command(
|
|
["ipa-server-upgrade"],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 0
|
|
|
|
# ensure result is the same
|
|
result = self.master.run_command(
|
|
["ipa", "config-show"],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 0
|
|
assert "SELinux user map order: {}".format(
|
|
maporder) in result.stdout_text
|