# # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # """ Module provides tests which testing ability of various subsystems to be installed. """ from __future__ import absolute_import import os import pytest from ipalib.constants import DOMAIN_LEVEL_0 from ipaplatform.constants import constants from ipaplatform.paths import paths from ipatests.pytest_ipa.integration.env_config import get_global_config from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup config = get_global_config() def create_broken_resolv_conf(master): # Force a broken resolv.conf to simulate a bad response to # reverse zone lookups master.run_command([ '/usr/bin/mv', paths.RESOLV_CONF, '%s.sav' % paths.RESOLV_CONF ]) contents = "# Set as broken by ipatests\nnameserver 127.0.0.2\n" master.put_file_contents(paths.RESOLV_CONF, contents) def restore_resolv_conf(master): if os.path.exists('%s.sav' % paths.RESOLV_CONF): master.run_command([ '/usr/bin/mv', '%s.sav' % paths.RESOLV_CONF, paths.RESOLV_CONF ]) def server_install_setup(func): def wrapped(*args): master = args[0].master create_broken_resolv_conf(master) try: func(*args) finally: tasks.uninstall_master(master, clean=False) restore_resolv_conf(master) ipa_certs_cleanup(master) return wrapped class InstallTestBase1(IntegrationTest): num_replicas = 3 topology = 'star' @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=False) def test_replica0_ca_less_install(self): tasks.install_replica(self.master, self.replicas[0], setup_ca=False) def test_replica0_ipa_ca_install(self): tasks.install_ca(self.replicas[0]) def test_replica0_ipa_kra_install(self): tasks.install_kra(self.replicas[0], first_instance=True) def test_replica0_ipa_dns_install(self): tasks.install_dns(self.replicas[0]) def test_replica1_with_ca_install(self): tasks.install_replica(self.master, self.replicas[1], setup_ca=True) def test_replica1_ipa_kra_install(self): tasks.install_kra(self.replicas[1]) def test_replica1_ipa_dns_install(self): tasks.install_dns(self.replicas[1]) def test_replica2_with_ca_kra_install(self): tasks.install_replica(self.master, self.replicas[2], setup_ca=True, setup_kra=True) def test_replica2_ipa_dns_install(self): tasks.install_dns(self.replicas[2]) class InstallTestBase2(IntegrationTest): num_replicas = 3 topology = 'star' @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=False) def test_replica0_with_ca_kra_dns_install(self): tasks.install_replica(self.master, self.replicas[0], setup_ca=True, setup_kra=True, setup_dns=True) def test_replica1_with_ca_dns_install(self): tasks.install_replica(self.master, self.replicas[1], setup_ca=True, setup_dns=True) def test_replica1_ipa_kra_install(self): tasks.install_kra(self.replicas[1]) def test_replica2_with_dns_install(self): tasks.install_replica(self.master, self.replicas[2], setup_ca=False, setup_dns=True) def test_replica2_ipa_ca_install(self): tasks.install_ca(self.replicas[2]) def test_replica2_ipa_kra_install(self): tasks.install_kra(self.replicas[2]) class ADTrustInstallTestBase(IntegrationTest): """ Base test for builtin AD trust installation im combination with other components """ num_replicas = 2 topology = 'star' @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=False) def install_replica(self, replica, **kwargs): tasks.install_replica(self.master, replica, setup_adtrust=True, **kwargs) def test_replica0_only_adtrust(self): self.install_replica(self.replicas[0], setup_ca=False) def test_replica1_all_components_adtrust(self): self.install_replica(self.replicas[1], setup_ca=True) ## # Master X Replicas installation tests ## class TestInstallWithCA1(InstallTestBase1): @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=False) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica1_ipa_kra_install(self): super(TestInstallWithCA1, self).test_replica1_ipa_kra_install() @pytest.mark.xfail(reason="FreeIPA ticket 7008", strict=True) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica2_with_ca_kra_install(self): super(TestInstallWithCA1, self).test_replica2_with_ca_kra_install() @pytest.mark.xfail(reason="FreeIPA ticket 7008", strict=True) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica2_ipa_dns_install(self): super(TestInstallWithCA1, self).test_replica2_ipa_dns_install() def test_install_with_bad_ldap_conf(self): """ Test a client install with a non standard ldap.config https://pagure.io/freeipa/issue/7418 """ ldap_conf = paths.OPENLDAP_LDAP_CONF base_dn = self.master.domain.basedn # pylint: disable=no-member client = self.replicas[0] tasks.uninstall_master(client) expected_msg1 = "contains deprecated and unsupported " \ "entries: HOST, PORT" file_backup = client.get_file_contents(ldap_conf, encoding='utf-8') constants = "URI ldaps://{}\nBASE {}\nHOST {}\nPORT 636".format( self.master.hostname, base_dn, self.master.hostname) modifications = "{}\n{}".format(file_backup, constants) client.put_file_contents(paths.OPENLDAP_LDAP_CONF, modifications) result = client.run_command(['ipa-client-install', '-U', '--domain', client.domain.name, '--realm', client.domain.realm, '-p', client.config.admin_name, '-w', client.config.admin_password, '--server', self.master.hostname], raiseonerr=False) assert expected_msg1 in result.stderr_text client.put_file_contents(ldap_conf, file_backup) class TestInstallWithCA2(InstallTestBase2): @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=False) @pytest.mark.xfail(reason="FreeIPA ticket 7008", strict=True) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica0_with_ca_kra_dns_install(self): super(TestInstallWithCA2, self).test_replica0_with_ca_kra_dns_install() @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica1_ipa_kra_install(self): super(TestInstallWithCA2, self).test_replica1_ipa_kra_install() @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica2_ipa_kra_install(self): super(TestInstallWithCA2, self).test_replica2_ipa_kra_install() class TestInstallWithCA_KRA1(InstallTestBase1): @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=False, setup_kra=True) def test_replica0_ipa_kra_install(self): tasks.install_kra(self.replicas[0], first_instance=False) class TestInstallWithCA_KRA2(InstallTestBase2): @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=False, setup_kra=True) class TestInstallWithCA_DNS1(InstallTestBase1): @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=True) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica1_ipa_kra_install(self): super(TestInstallWithCA_DNS1, self).test_replica1_ipa_kra_install() @pytest.mark.xfail(reason="FreeIPA ticket 7008", strict=True) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica2_with_ca_kra_install(self): super(TestInstallWithCA_DNS1, self).test_replica2_with_ca_kra_install() @pytest.mark.xfail(reason="FreeIPA ticket 7008", strict=True) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica2_ipa_dns_install(self): super(TestInstallWithCA_DNS1, self).test_replica2_ipa_dns_install() class TestInstallWithCA_DNS2(InstallTestBase2): @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=True) @pytest.mark.xfail(reason="FreeIPA ticket 7008", strict=True) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica0_with_ca_kra_dns_install(self): super( TestInstallWithCA_DNS2, self ).test_replica0_with_ca_kra_dns_install() @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica1_ipa_kra_install(self): super(TestInstallWithCA_DNS2, self).test_replica1_ipa_kra_install() @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica2_ipa_kra_install(self): super(TestInstallWithCA_DNS2, self).test_replica2_ipa_kra_install() class TestInstallWithCA_DNS3(CALessBase): """ Test an install with a bad DNS resolver configured to force a timeout trying to verify the existing zones. In the case of a reverse zone it is skipped unless --allow-zone-overlap is set regardless of the value of --auto-reverse. Confirm that --allow-zone-overlap lets the reverse zone be created. ticket 7239 """ @server_install_setup def test_number_of_zones(self): """There should be two zones: one forward, one reverse""" self.create_pkcs12('ca1/server') self.prepare_cacert('ca1') self.install_server(extra_args=['--allow-zone-overlap']) result = self.master.run_command([ 'ipa', 'dnszone-find']) assert "in-addr.arpa." in result.stdout_text assert "returned 2" in result.stdout_text class TestInstallWithCA_DNS4(CALessBase): """ Test an install with a bad DNS resolver configured to force a timeout trying to verify the existing zones. In the case of a reverse zone it is skipped unless --allow-zone-overlap is set regardless of the value of --auto-reverse. Confirm that without --allow-reverse-zone only the forward zone is created. ticket 7239 """ @server_install_setup def test_number_of_zones(self): """There should be one zone, a forward because rev timed-out""" self.create_pkcs12('ca1/server') self.prepare_cacert('ca1') # no zone overlap by default self.install_server() result = self.master.run_command([ 'ipa', 'dnszone-find']) assert "in-addr.arpa." not in result.stdout_text assert "returned 1" in result.stdout_text @pytest.mark.cs_acceptance class TestInstallWithCA_KRA_DNS1(InstallTestBase1): @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=True, setup_kra=True) def test_replica0_ipa_kra_install(self): tasks.install_kra(self.replicas[0], first_instance=False) class TestInstallWithCA_KRA_DNS2(InstallTestBase2): @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=True, setup_kra=True) class TestADTrustInstall(ADTrustInstallTestBase): """ Tests built-in AD trust installation in various combinations (see the base class for more details) against plain IPA master (no DNS, no KRA, no AD trust) """ class TestADTrustInstallWithDNS_KRA_ADTrust(ADTrustInstallTestBase): """ Tests built-in AD trust installation in various combinations (see the base class for more details) against fully equipped (DNS, CA, KRA, ADtrust) master. Additional two test cases were added to test interplay including KRA installer """ @classmethod def install(cls, mh): tasks.install_master(cls.master, setup_dns=True, setup_kra=True, setup_adtrust=True) def test_replica1_all_components_adtrust(self): self.install_replica(self.replicas[1], setup_ca=True, setup_kra=True) ## # Rest of master installation tests ## class TestInstallMaster(IntegrationTest): num_replicas = 0 @classmethod def install(cls, mh): pass def test_install_master(self): tasks.install_master(self.master, setup_dns=False) def test_install_kra(self): tasks.install_kra(self.master, first_instance=True) def test_install_dns(self): tasks.install_dns(self.master) def test_WSGI_worker_process(self): """ Test if WSGI worker process count is set to 4 related ticket : https://pagure.io/freeipa/issue/7587 """ # check process count in httpd conf file i.e expected string exp = b'WSGIDaemonProcess ipa processes=%d' % constants.WSGI_PROCESSES httpd_conf = self.master.get_file_contents(paths.HTTPD_IPA_CONF) assert exp in httpd_conf # check the process count cmd = self.master.run_command('ps -eF') wsgi_count = cmd.stdout_text.count('wsgi:ipa') assert constants.WSGI_PROCESSES == wsgi_count class TestInstallMasterKRA(IntegrationTest): num_replicas = 0 @classmethod def install(cls, mh): pass def test_install_master(self): tasks.install_master(self.master, setup_dns=False, setup_kra=True) def test_install_dns(self): tasks.install_dns(self.master) class TestInstallMasterDNS(IntegrationTest): num_replicas = 0 @classmethod def install(cls, mh): pass def test_install_master(self): tasks.install_master( self.master, setup_dns=True, extra_args=['--zonemgr', 'me@example.org'], ) def test_install_kra(self): tasks.install_kra(self.master, first_instance=True) class TestInstallMasterReservedIPasForwarder(IntegrationTest): """Test to check if IANA reserved IP doesn't accepted as DNS forwarder IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address. related ticket: https://pagure.io/freeipa/issue/6894 """ def test_reserved_ip_as_forwarder(self): args = [ 'ipa-server-install', '-n', self.master.domain.name, '-r', self.master.domain.realm, '-p', self.master.config.dirman_password, '-a', self.master.config.admin_password, '--setup-dns', '--forwarder', '0.0.0.0', '--auto-reverse'] cmd = self.master.run_command(args, raiseonerr=False) assert cmd.returncode == 2 exp_str = ("error: option --forwarder: invalid IP address 0.0.0.0: " "cannot use IANA reserved IP address 0.0.0.0") assert exp_str in cmd.stderr_text server_install_options = ( "yes\n" "{hostname}\n" "{dmname}\n\n" "{dm_pass}\n{dm_pass}" "\n{admin_pass}\n{admin_pass}\n" "yes\nyes\n0.0.0.0\n".format( dm_pass=self.master.config.dirman_password, admin_pass=self.master.config.admin_password, dmname=self.master.domain.name, hostname=self.master.hostname)) cmd = self.master.run_command(['ipa-server-install'], stdin_text=server_install_options, raiseonerr=False) exp_str = ("Invalid IP Address 0.0.0.0: cannot use IANA reserved " "IP address 0.0.0.0") assert exp_str in cmd.stdout_text