websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.7.2-3

Browse Source
This commit is contained in:
Timo Aaltonen
2019-05-06 08:43:34 +03:00
committed by Mario Fetka
parent 27edeba051
commit 8bc559c5a1
917 changed files with 1068993 additions and 1184676 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ipatests/test_cmdline/cmdline.py
View File

@@ -25,8 +25,7 @@ from __future__ import absolute_import
import distutils.spawn
import os
import pytest
import unittest
from ipalib import api
from ipalib import errors
@@ -52,12 +51,11 @@ class cmdline_test(XMLRPC_test):
# some reasonable default command
command = paths.LS
@pytest.fixture(autouse=True, scope="class")
def cmdline_setup(self, request, xmlrpc_setup):
@classmethod
def setup_class(cls):
# Find the executable in $PATH
# This is neded because ipautil.run resets the PATH to
# a system default.
cls = request.cls
original_command = cls.command
if not os.path.isabs(cls.command):
cls.command = distutils.spawn.find_executable(cls.command)
@@ -67,7 +65,8 @@ class cmdline_test(XMLRPC_test):
raise AssertionError(
'Command %r not available' % original_command
)
super(cmdline_test, cls).setup_class()
if not server_available:
pytest.skip(
raise unittest.SkipTest(
'Server not available: %r' % api.env.xmlrpc_uri
)

20
ipatests/test_cmdline/test_cli.py
View File

@@ -1,12 +1,13 @@
import contextlib
import os
from io import StringIO
import shlex
import subprocess
import sys
import tempfile
import unittest
import six
from six import StringIO
from ipatests import util
from ipatests.test_ipalib.test_x509 import goodcert_headers
@@ -24,7 +25,7 @@ BASE_DIR = os.path.abspath(os.path.join(HERE, os.pardir, os.pardir))
@pytest.mark.tier0
@pytest.mark.needs_ipaapi
class TestCLIParsing:
class TestCLIParsing(object):
"""Tests that commandlines are correctly parsed to Command keyword args
"""
def check_command(self, commandline, expected_command_name, **kw_expected):
@@ -44,8 +45,8 @@ class TestCLIParsing:
try:
api.Command[command_name](**kw)
except errors.NetworkError:
pytest.skip('%r: Server not available: %r' %
(self.__module__, api.env.xmlrpc_uri))
raise unittest.SkipTest('%r: Server not available: %r' %
(self.__module__, api.env.xmlrpc_uri))
@contextlib.contextmanager
def fake_stdin(self, string_in):
@@ -123,7 +124,7 @@ class TestCLIParsing:
try:
self.run_command('dnszone_add', idnsname=TEST_ZONE)
except errors.NotFound:
pytest.skip('DNS is not configured')
raise unittest.SkipTest('DNS is not configured')
try:
self.run_command('dnsrecord_add',
dnszoneidnsname=TEST_ZONE,
@@ -151,7 +152,7 @@ class TestCLIParsing:
try:
self.run_command('dnszone_add', idnsname=TEST_ZONE)
except errors.NotFound:
pytest.skip('DNS is not configured')
raise unittest.SkipTest('DNS is not configured')
try:
records = (u'1 1 E3B72BA346B90570EED94BE9334E34AA795CED23',
u'2 1 FD2693C1EFFC11A8D2BE57229212A04B45663791')
@@ -231,7 +232,7 @@ class TestCLIParsing:
self.run_command(
'dnszone_add', idnsname=TEST_ZONE)
except errors.NotFound:
pytest.skip('DNS is not configured')
raise unittest.SkipTest('DNS is not configured')
try:
self.run_command(
'dnsrecord_add',
@@ -366,8 +367,8 @@ IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system'
[
# Commands delivered by the client pkg
(['ipa'], 1, None, IPA_CLIENT_NOT_CONFIGURED),
(['ipa-certupdate'], 2, None, IPA_CLIENT_NOT_CONFIGURED),
(['ipa-client-automount'], 2, IPA_CLIENT_NOT_CONFIGURED, None),
(['ipa-certupdate'], 1, None, IPA_CLIENT_NOT_CONFIGURED),
(['ipa-client-automount'], 1, IPA_CLIENT_NOT_CONFIGURED, None),
# Commands delivered by the server pkg
(['ipa-adtrust-install'], 2, None, IPA_NOT_CONFIGURED),
(['ipa-advise'], 2, None, IPA_NOT_CONFIGURED),
@@ -376,7 +377,6 @@ IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system'
(['ipa-ca-install'], 1, None,
b'IPA server is not configured on this system'),
(['ipa-compat-manage'], 2, None, IPA_NOT_CONFIGURED),
(['ipa-crlgen-manage'], 2, None, IPA_NOT_CONFIGURED),
(['ipa-csreplica-manage'], 1, None, IPA_NOT_CONFIGURED),
(['ipactl', 'status'], 4, None, b'IPA is not configured'),
(['ipa-dns-install'], 2, None, IPA_NOT_CONFIGURED),

44
ipatests/test_cmdline/test_console.py
View File

@@ -1,44 +0,0 @@
#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
import inspect
import io
import pydoc
import pytest
from ipalib import api
@pytest.fixture()
def api_obj():
if not api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.connect()
yield api
@pytest.mark.tier0
@pytest.mark.needs_ipaapi
class TestIPAConsole:
def run_pydoc(self, plugin):
s = io.StringIO()
# help() calls pydoc.doc() with pager
pydoc.doc(plugin, "Help %s", output=s)
return s.getvalue()
def test_dir(self, api_obj):
assert "Command" in dir(api_obj)
assert "group_add" in dir(api_obj.Command)
def test_signature(self, api_obj):
sig = api_obj.Command.group_add.__signature__
assert isinstance(sig, inspect.Signature)
params = sig.parameters
assert params['cn'].kind is inspect.Parameter.POSITIONAL_OR_KEYWORD
assert params['cn'].annotation is str
assert params['description'].kind is inspect.Parameter.KEYWORD_ONLY
def test_help(self, api_obj):
s = self.run_pydoc(api_obj.Command.group_add)
# check for __signature__ in help()
assert "group_add(cn: str, *, description: str = None," in s

4
ipatests/test_cmdline/test_help.py
View File

@@ -19,11 +19,11 @@
import sys
import os
from io import StringIO
import shutil
import errno
import six
from six import StringIO
from ipalib import api, errors
from ipaserver.plugins.user import user_add
@@ -37,7 +37,7 @@ pytestmark = pytest.mark.needs_ipaapi
@pytest.mark.tier0
class CLITestContext:
class CLITestContext(object):
"""Context manager that replaces stdout & stderr, and catches SystemExit
Whatever was printed to the streams is available in ``stdout`` and

277
ipatests/test_cmdline/test_ipagetkeytab.py Executable file → Normal file
View File

@@ -29,38 +29,31 @@ import tempfile
import gssapi
import pytest
from ipapython.ipautil import private_ccache
from ipalib import api, errors
from ipalib.request import context
from ipalib import api
from ipaplatform.paths import paths
from ipapython import ipautil, ipaldap
from ipaserver.plugins.ldap2 import ldap2
from ipatests.test_cmdline.cmdline import cmdline_test
from ipatests.test_xmlrpc.tracker import host_plugin, service_plugin
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, add_oc
from contextlib import contextmanager
@contextmanager
def use_keytab(principal, keytab):
with private_ccache() as ccache_file:
try:
old_principal = getattr(context, 'principal', None)
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
store = {'ccache': ccache_file,
'client_keytab': keytab}
gssapi.Credentials(name=name, usage='initiate', store=store)
conn = ldap2(api)
conn.connect(ccache=ccache_file,
autobind=ipaldap.AUTOBIND_DISABLED)
yield conn
conn.disconnect()
except gssapi.exceptions.GSSError as e:
raise Exception('Unable to bind to LDAP. Error initializing '
'principal %s in %s: %s' % (principal, keytab,
str(e)))
finally:
setattr(context, 'principal', old_principal)
try:
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
ccache_file = 'FILE:%s/ccache' % tmpdir
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
store = {'ccache': ccache_file,
'client_keytab': keytab}
os.environ['KRB5CCNAME'] = ccache_file
gssapi.Credentials(name=name, usage='initiate', store=store)
conn = ldap2(api)
conn.connect(autobind=ipaldap.AUTOBIND_DISABLED)
conn.disconnect()
except gssapi.exceptions.GSSError as e:
raise Exception('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
finally:
os.environ.pop('KRB5CCNAME', None)
if tmpdir:
shutil.rmtree(tmpdir)
@pytest.fixture(scope='class')
@@ -70,7 +63,7 @@ def test_host(request):
@pytest.fixture(scope='class')
def test_service(request, test_host, keytab_retrieval_setup):
def test_service(request, test_host):
service_tracker = service_plugin.ServiceTracker(u'srv', test_host.name)
test_host.ensure_exists()
return service_tracker.make_fixture(request)
@@ -84,9 +77,10 @@ class KeytabRetrievalTest(cmdline_test):
command = "ipa-getkeytab"
keytabname = None
@pytest.fixture(autouse=True, scope="class")
def keytab_retrieval_setup(self, request, cmdline_setup):
cls = request.cls
@classmethod
def setup_class(cls):
super(KeytabRetrievalTest, cls).setup_class()
keytabfd, keytabname = tempfile.mkstemp()
os.close(keytabfd)
@@ -94,16 +88,17 @@ class KeytabRetrievalTest(cmdline_test):
cls.keytabname = keytabname
def fin():
try:
os.unlink(cls.keytabname)
except OSError:
pass
@classmethod
def teardown_class(cls):
super(KeytabRetrievalTest, cls).teardown_class()
request.addfinalizer(fin)
try:
os.unlink(cls.keytabname)
except OSError:
pass
def run_ipagetkeytab(self, service_principal, args=tuple(),
raiseonerr=False, stdin=None):
raiseonerr=False):
new_args = [self.command,
"-p", service_principal,
"-k", self.keytabname]
@@ -115,7 +110,7 @@ class KeytabRetrievalTest(cmdline_test):
return ipautil.run(
new_args,
stdin=stdin,
stdin=None,
raiseonerr=raiseonerr,
capture_error=True)
@@ -167,9 +162,7 @@ class test_ipagetkeytab(KeytabRetrievalTest):
"""
Try to use the service keytab.
"""
with use_keytab(test_service.name, self.keytabname) as conn:
assert conn.can_read(test_service.dn, 'objectclass') is True
assert getattr(context, 'principal') == test_service.name
use_keytab(test_service.name, self.keytabname)
def test_4_disable(self, test_service):
"""
@@ -193,77 +186,10 @@ class test_ipagetkeytab(KeytabRetrievalTest):
Try to use the disabled keytab
"""
try:
with use_keytab(test_service.name, self.keytabname) as conn:
assert conn.can_read(test_service.dn, 'objectclass') is True
assert getattr(context, 'principal') == test_service.name
use_keytab(test_service.name, self.keytabname)
except Exception as errmsg:
assert('Unable to bind to LDAP. Error initializing principal' in str(errmsg))
def test_6_quiet_mode(self, test_service):
"""
Try to use quiet mode
"""
test_service.ensure_exists()
# getkeytab without quiet mode option enabled
result = self.run_ipagetkeytab(test_service.name)
err = result.error_output.split("\n")[0]
assert err == f"Keytab successfully retrieved and stored in:" \
f" {self.keytabname}"
assert result.returncode == 0
# getkeytab with quiet mode option enabled
result1 = self.run_ipagetkeytab(test_service.name, args=tuple("-q"))
assert result1.returncode == 0
def test_7_server_name_check(self, test_service):
"""
Try to use -s for server name
"""
test_service.ensure_exists()
self.assert_success(test_service.name, args=["-s", api.env.host])
def test_8_keytab_encryption_check(self, test_service):
"""
Try to use -e for different types of encryption check
"""
encryptes_list = [
"aes256-cts-hmac-sha1-96",
"aes128-cts-hmac-sha256-128",
]
self.assert_success(
test_service.name, args=["-e", ",".join(encryptes_list)]
)
def test_dangling_symlink(self, test_service):
# see https://pagure.io/freeipa/issue/4607
test_service.ensure_exists()
fd, symlink_target = tempfile.mkstemp()
os.close(fd)
os.unlink(symlink_target)
# create dangling symlink
os.symlink(self.keytabname, symlink_target)
try:
self.assert_success(test_service.name, raiseonerr=True)
assert os.path.isfile(symlink_target)
assert os.path.samefile(self.keytabname, symlink_target)
finally:
os.unlink(symlink_target)
def retrieve_dm_password():
dmpw_file = os.path.join(api.env.dot_ipa, '.dmpw')
if not os.path.isfile(dmpw_file):
raise errors.NotFound(reason='{} file required '
'for this test'.format(dmpw_file))
with open(dmpw_file, 'r') as f:
dm_password = f.read().strip()
return dm_password
class TestBindMethods(KeytabRetrievalTest):
"""
@@ -273,13 +199,17 @@ class TestBindMethods(KeytabRetrievalTest):
dm_password = None
ca_cert = None
@pytest.fixture(autouse=True, scope="class")
def bindmethods_setup(self, request, keytab_retrieval_setup):
cls = request.cls
try:
cls.dm_password = retrieve_dm_password()
except errors.NotFound as e:
pytest.skip(e.args)
@classmethod
def setup_class(cls):
super(TestBindMethods, cls).setup_class()
dmpw_file = os.path.join(api.env.dot_ipa, '.dmpw')
if not os.path.isfile(dmpw_file):
pytest.skip('{} file required for this test'.format(dmpw_file))
with open(dmpw_file, 'r') as f:
cls.dm_password = f.read().strip()
tempfd, temp_ca_cert = tempfile.mkstemp()
@@ -289,12 +219,14 @@ class TestBindMethods(KeytabRetrievalTest):
cls.ca_cert = temp_ca_cert
def fin():
try:
os.unlink(cls.ca_cert)
except OSError:
pass
request.addfinalizer(fin)
@classmethod
def teardown_class(cls):
super(TestBindMethods, cls).teardown_class()
try:
os.unlink(cls.ca_cert)
except OSError:
pass
def check_ldapi(self):
if not api.env.ldap_uri.startswith('ldapi://'):
@@ -393,106 +325,3 @@ class TestBindMethods(KeytabRetrievalTest):
'-H', 'ldaps://{}'.format(api.env.host),
'-Y', 'EXTERNAL'],
raiseonerr=False)
class SMBServiceTracker(service_plugin.ServiceTracker):
def __init__(self, name, host_fqdn, options=None):
super(SMBServiceTracker, self).__init__(name, host_fqdn,
options=options)
# Create SMB service principal that has POSIX attributes to allow
# generating SID and adding proper objectclasses
self.create_keys |= {u'uidnumber', u'gidnumber'}
self.options[u'addattr'] = [
u'objectclass=ipaIDObject', u'uidNumber=-1', u'gidNumber=-1']
def track_create(self, **options):
super(SMBServiceTracker, self).track_create(**options)
self.attrs[u'uidnumber'] = [fuzzy_digits]
self.attrs[u'gidnumber'] = [fuzzy_digits]
self.attrs[u'objectclass'].append(u'ipaIDObject')
@pytest.fixture(scope='class')
def test_smb_svc(request, test_host, smb_service_setup):
service_tracker = SMBServiceTracker(u'cifs', test_host.name)
test_host.ensure_exists()
return service_tracker.make_fixture(request)
@pytest.mark.tier0
@pytest.mark.skipif(u'ipantuserattrs' not in add_oc([], u'ipantuserattrs'),
reason="Must have trust support enabled for this test")
class test_smb_service(KeytabRetrievalTest):
"""
Test `ipa-getkeytab` for retrieving explicit enctypes
"""
command = "ipa-getkeytab"
dm_password = None
keytabname = None
@pytest.fixture(autouse=True, scope="class")
def smb_service_setup(self, request, keytab_retrieval_setup):
cls = request.cls
try:
cls.dm_password = retrieve_dm_password()
except errors.NotFound as e:
pytest.skip(e.args)
def test_create(self, test_smb_svc):
"""
Create a keytab with `ipa-getkeytab` for an existing service.
"""
test_smb_svc.ensure_exists()
# Request a keytab with explicit encryption types
enctypes = ['aes128-cts-hmac-sha1-96',
'aes256-cts-hmac-sha1-96', 'arcfour-hmac']
args = ['-e', ','.join(enctypes), '-s', api.env.host]
self.assert_success(test_smb_svc.name, args=args, raiseonerr=True)
def test_use(self, test_smb_svc):
"""
Try to use the service keytab to regenerate ipaNTHash value
"""
# Step 1. Extend objectclass to allow ipaNTHash attribute
# We cannot verify write access to objectclass
with use_keytab(test_smb_svc.name, self.keytabname) as conn:
entry = conn.get_entry(test_smb_svc.dn, ['objectclass'])
entry['objectclass'].extend(['ipaNTUserAttrs'])
try:
conn.update_entry(entry)
except errors.ACIError:
assert ('No correct ACI to the allow ipaNTUserAttrs '
'for SMB service' in "failure")
# Step 2. With ipaNTUserAttrs in place, we can ask to regenerate
# ipaNTHash value. We can also verify it is possible to write to
# ipaNTHash attribute while being an SMB service
with use_keytab(test_smb_svc.name, self.keytabname) as conn:
assert conn.can_write(test_smb_svc.dn, 'ipaNTHash') is True
entry = conn.get_entry(test_smb_svc.dn, ['ipaNTHash'])
entry['ipanthash'] = b'MagicRegen'
try:
conn.update_entry(entry)
except errors.ACIError:
assert ("No correct ACI to the ipaNTHash for SMB service"
in "failure")
except errors.EmptyResult:
assert "No arcfour-hmac in Kerberos keys" in "failure"
except errors.DatabaseError:
# Most likely ipaNTHash already existed -- we either get
# OPERATIONS_ERROR or UNWILLING_TO_PERFORM, both map to
# the same DatabaseError class.
assert "LDAP Entry corruption after generation" in "failure"
# Update succeeded, now we have either MagicRegen (broken) or
# a real NT hash in the entry. However, we can only retrieve it as
# a cn=Directory Manager. When bind_dn is None, ldap2.connect() wil
# default to cn=Directory Manager.
conn = ldap2(api)
conn.connect(bind_dn=None, bind_pw=self.dm_password,
autobind=ipaldap.AUTOBIND_DISABLED)
entry = conn.retrieve(test_smb_svc.dn, ['ipaNTHash'])
ipanthash = entry.single_value.get('ipanthash')
conn.disconnect()
assert ipanthash != b'MagicRegen', 'LDBM backend entry corruption'