Update and Provide FreeIPA Tests #141
@ -8,18 +8,20 @@ sub run {
|
|||||||
# switch to tty1 (we're usually there already, but just in case
|
# switch to tty1 (we're usually there already, but just in case
|
||||||
# we're carrying on from a failed freeipa_webui that didn't fail
|
# we're carrying on from a failed freeipa_webui that didn't fail
|
||||||
# at tty1)
|
# at tty1)
|
||||||
|
my $ipa_domain = 'test.openqa.rockylinux.org';
|
||||||
|
my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG';
|
||||||
send_key "ctrl-alt-f1";
|
send_key "ctrl-alt-f1";
|
||||||
wait_still_screen 1;
|
wait_still_screen 1;
|
||||||
# check domain is listed in 'realm list'
|
# check domain is listed in 'realm list'
|
||||||
validate_script_output 'realm list', sub { $_ =~ m/domain-name: test\.openqa\.rockylinux\.org.*configured: kerberos-member/s };
|
validate_script_output 'realm list', sub { $_ =~ m/domain-name: test\.openqa\.rockylinux\.org.*configured: kerberos-member/s };
|
||||||
# check we can see the admin user in getent
|
# check we can see the admin user in getent
|
||||||
assert_script_run 'getent passwd admin@TEST.OPENQA.ROCKYLINUX.ORG';
|
assert_script_run "getent passwd admin\@$ipa_realm";
|
||||||
# check keytab entries
|
# check keytab entries
|
||||||
my $hostname = script_output 'hostname';
|
my $hostname = script_output 'hostname';
|
||||||
my $qhost = quotemeta($hostname);
|
my $qhost = quotemeta($hostname);
|
||||||
validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@TEST\.OPENQA\.ROCKYLINUX\.ORG/ };
|
validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@TEST\.OPENQA\.ROCKYLINUX\.ORG/ };
|
||||||
# check we can kinit with the host principal
|
# check we can kinit with the host principal
|
||||||
assert_script_run "kinit -k host/$hostname\@TEST.OPENQA.ROCKYLINUX.ORG";
|
assert_script_run "kinit -k host/$hostname\@$ipa_realm";
|
||||||
# Set a longer timeout for login(1) to workaround RHBZ #1661273
|
# Set a longer timeout for login(1) to workaround RHBZ #1661273
|
||||||
assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs';
|
assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs';
|
||||||
# switch to tty2 for login tests
|
# switch to tty2 for login tests
|
||||||
@ -32,7 +34,7 @@ sub run {
|
|||||||
# "permission denied" message doesn't last that long
|
# "permission denied" message doesn't last that long
|
||||||
sleep 2;
|
sleep 2;
|
||||||
assert_screen "text_console_login";
|
assert_screen "text_console_login";
|
||||||
type_string "test2\@TEST.OPENQA.ROCKYLINUX.ORG\n";
|
type_string "test2\@$ipa_realm\n";
|
||||||
assert_screen "console_password_required";
|
assert_screen "console_password_required";
|
||||||
type_string "batterystaple\n";
|
type_string "batterystaple\n";
|
||||||
assert_screen "login_permission_denied";
|
assert_screen "login_permission_denied";
|
||||||
|
@ -9,7 +9,9 @@ sub run {
|
|||||||
# we're restarting firefox (instead of using the same one from
|
# we're restarting firefox (instead of using the same one from
|
||||||
# realmd_join_cockpit) so Firefox's trusted CA store refreshes and
|
# realmd_join_cockpit) so Firefox's trusted CA store refreshes and
|
||||||
# it trusts the web server cert
|
# it trusts the web server cert
|
||||||
start_webui("admin", "monkeys123");
|
my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG';
|
||||||
|
my $ipa_admin_password = 'b1U3OnyX!';
|
||||||
|
start_webui("admin", $ipa_admin_password);
|
||||||
add_user("test3", "Three");
|
add_user("test3", "Three");
|
||||||
add_user("test4", "Four");
|
add_user("test4", "Four");
|
||||||
assert_screen "freeipa_webui_users_added";
|
assert_screen "freeipa_webui_users_added";
|
||||||
@ -48,8 +50,8 @@ sub run {
|
|||||||
assert_screen "root_console";
|
assert_screen "root_console";
|
||||||
wait_still_screen 5;
|
wait_still_screen 5;
|
||||||
# set permanent passwords for both accounts
|
# set permanent passwords for both accounts
|
||||||
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test3@TEST.OPENQA.ROCKYLINUX.ORG';
|
assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test3\@$ipa_realm";
|
||||||
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test4@TEST.OPENQA.ROCKYLINUX.ORG';
|
assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test4\@$ipa_realm";
|
||||||
# switch to tty4 (boy, the tty jugglin')
|
# switch to tty4 (boy, the tty jugglin')
|
||||||
send_key "ctrl-alt-f4";
|
send_key "ctrl-alt-f4";
|
||||||
# try and login as test3, should work
|
# try and login as test3, should work
|
||||||
|
@ -57,7 +57,7 @@ sub run {
|
|||||||
type_string("admin", 4);
|
type_string("admin", 4);
|
||||||
send_key "tab";
|
send_key "tab";
|
||||||
sleep 3;
|
sleep 3;
|
||||||
type_string("monkeys123", 4);
|
type_string("b1U3OnyX!", 4);
|
||||||
sleep 3;
|
sleep 3;
|
||||||
assert_and_click "cockpit_join_button";
|
assert_and_click "cockpit_join_button";
|
||||||
# join involves package installs, so it may take some time
|
# join involves package installs, so it may take some time
|
||||||
|
@ -6,12 +6,39 @@ use mmapi;
|
|||||||
use tapnet;
|
use tapnet;
|
||||||
use utils;
|
use utils;
|
||||||
|
|
||||||
|
# Adapted from Fedora's OpenQA tests, with some modifications. This will need
|
||||||
|
# to be maintained per major version as necessary.
|
||||||
|
# label@rockylinux.org
|
||||||
|
|
||||||
|
use feature "switch";
|
||||||
|
|
||||||
sub run {
|
sub run {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
# use FreeIPA server or replica as DNS server
|
# use FreeIPA server or replica as DNS server
|
||||||
|
my $version_major = get_version_major;
|
||||||
|
my $relnum = get_release_number;
|
||||||
|
my $ipa_admin_password = 'b1U3OnyX!';
|
||||||
my $server = 'ipa001.test.openqa.rockylinux.org';
|
my $server = 'ipa001.test.openqa.rockylinux.org';
|
||||||
my $server_ip = '172.16.2.100';
|
my $server_ip = '172.16.2.100';
|
||||||
my $server_mutex = 'freeipa_ready';
|
my $server_mutex = 'freeipa_ready';
|
||||||
|
my $ipa_install_cmd;
|
||||||
|
my @ipa_firewall_services;
|
||||||
|
given ($version_major) {
|
||||||
|
when ('8') {
|
||||||
|
$ipa_install_cmd = 'dnf --assumeyes module install idm:DL1/{dns,client,server,common}';
|
||||||
|
@ipa_firewall_services = qw(http https kerberos kpasswd ldap ldaps dns);
|
||||||
|
}
|
||||||
|
when ('9') {
|
||||||
|
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
|
||||||
|
@ipa_firewall_services = qw(freeipa-4 dns);
|
||||||
|
}
|
||||||
|
default {
|
||||||
|
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
|
||||||
|
@ipa_firewall_services = qw(freeipa-4 dns);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
if (get_var("FREEIPA_REPLICA")) {
|
if (get_var("FREEIPA_REPLICA")) {
|
||||||
$server = 'ipa002.test.openqa.rockylinux.org';
|
$server = 'ipa002.test.openqa.rockylinux.org';
|
||||||
$server_ip = '172.16.2.106';
|
$server_ip = '172.16.2.106';
|
||||||
@ -40,22 +67,22 @@ sub run {
|
|||||||
if (get_var("FREEIPA_REPLICA")) {
|
if (get_var("FREEIPA_REPLICA")) {
|
||||||
# here we're enrolling not just as a client, but as a replica
|
# here we're enrolling not just as a client, but as a replica
|
||||||
# install server packages
|
# install server packages
|
||||||
assert_script_run "dnf -y groupinstall freeipa-server", 600;
|
assert_script_run "$ipa_install_cmd", 600;
|
||||||
|
|
||||||
# we need a lot of entropy for this, and we don't care how good
|
# we need a lot of entropy for this, and we don't care how good
|
||||||
# it is, so let's use haveged
|
# it is, so let's use haveged
|
||||||
assert_script_run "dnf -y install haveged", 300;
|
assert_script_run "dnf --assumeyes install rng-tools", 300;
|
||||||
assert_script_run 'systemctl start haveged.service';
|
assert_script_run 'systemctl start rngd.service';
|
||||||
|
|
||||||
# configure the firewall
|
# configure the firewall
|
||||||
for my $service (qw(freeipa-ldap freeipa-ldaps dns)) {
|
for my $service (@ipa_firewall_services) {
|
||||||
assert_script_run "firewall-cmd --permanent --add-service $service";
|
assert_script_run "firewall-cmd --permanent --add-service $service";
|
||||||
}
|
}
|
||||||
assert_script_run "systemctl restart firewalld.service";
|
assert_script_run "systemctl restart firewalld.service";
|
||||||
|
|
||||||
# deploy as a replica
|
# deploy as a replica
|
||||||
my ($ip, $hostname) = split(/ /, get_var("POST_STATIC"));
|
my ($ip, $hostname) = split(/ /, get_var("POST_STATIC"));
|
||||||
my $args = "--ip-address=$ip --setup-dns --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password monkeys123";
|
my $args = "--ip-address=$ip --setup-dns --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password $ipa_admin_password";
|
||||||
assert_script_run "ipa-replica-install $args", 1500;
|
assert_script_run "ipa-replica-install $args", 1500;
|
||||||
|
|
||||||
# enable and start the systemd service
|
# enable and start the systemd service
|
||||||
@ -69,7 +96,7 @@ sub run {
|
|||||||
wait_for_children;
|
wait_for_children;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
assert_script_run "echo 'monkeys123' | realm join --user=admin ${server}", 300;
|
assert_script_run "echo '$ipa_admin_password' | realm join --user=admin ${server}", 300;
|
||||||
}
|
}
|
||||||
# set sssd debugging level higher (useful for debugging failures)
|
# set sssd debugging level higher (useful for debugging failures)
|
||||||
# optional as it's not really part of the test
|
# optional as it's not really part of the test
|
||||||
|
@ -6,23 +6,45 @@ use mmapi;
|
|||||||
use tapnet;
|
use tapnet;
|
||||||
use utils;
|
use utils;
|
||||||
|
|
||||||
|
# Adapted from Fedora's OpenQA tests, with some modifications. This will need
|
||||||
|
# to be maintained per major version as necessary.
|
||||||
|
# label@rockylinux.org
|
||||||
|
|
||||||
|
use feature "switch";
|
||||||
|
|
||||||
sub run {
|
sub run {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
|
my $version_major = get_version_major;
|
||||||
|
my $relnum = get_release_number;
|
||||||
|
my $ipa_hostname = script_output 'hostname';
|
||||||
|
my $ipa_install_cmd;
|
||||||
|
my @ipa_firewall_services;
|
||||||
|
my $ipa_domain = 'test.openqa.rockylinux.org';
|
||||||
|
my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG';
|
||||||
|
my $ipa_admin_password = 'b1U3OnyX!';
|
||||||
|
my $ipa_reverse_zone = '2.16.172.in-addr.arpa';
|
||||||
|
my $ipa_install_args = "-U --auto-forwarders --realm=$ipa_realm --domain=$ipa_domain --ds-password=$ipa_admin_password --admin-password=$ipa_admin_password --setup-dns --reverse-zone=$ipa_reverse_zone --allow-zone-overlap";
|
||||||
|
given ($version_major) {
|
||||||
|
when ('8') {
|
||||||
|
$ipa_install_cmd = 'dnf --assumeyes module install idm:DL1/{dns,client,server,common}';
|
||||||
|
@ipa_firewall_services = qw(http https kerberos kpasswd ldap ldaps dns);
|
||||||
|
}
|
||||||
|
when ('9') {
|
||||||
|
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
|
||||||
|
@ipa_firewall_services = qw(freeipa-4 dns);
|
||||||
|
}
|
||||||
|
default {
|
||||||
|
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
|
||||||
|
@ipa_firewall_services = qw(freeipa-4 dns);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# login
|
# login
|
||||||
$self->root_console();
|
$self->root_console();
|
||||||
# use compose repo, disable u-t, etc. unless this is an upgrade
|
# We need entropy. Install rng-tools and start it up. Fedora uses haveged
|
||||||
# test (in which case we're on the 'old' release at this point;
|
# but Rocky Linux does not have it unless EPEL is used.
|
||||||
# one of the upgrade test modules does repo_setup later)
|
assert_script_run "dnf --assumeyes install rng-tools", 300;
|
||||||
repo_setup() unless get_var("UPGRADE");
|
assert_script_run 'systemctl start rngd.service';
|
||||||
# use --enablerepo=fedora for Modular compose testing (we need to
|
|
||||||
# create and use a non-Modular repo to get some packages which
|
|
||||||
# aren't in Modular Server composes)
|
|
||||||
my $extraparams = '';
|
|
||||||
$extraparams = '--enablerepo=fedora' if (get_var("MODULAR"));
|
|
||||||
# we need a lot of entropy for this, and we don't care how good
|
|
||||||
# it is, so let's use haveged
|
|
||||||
assert_script_run "dnf ${extraparams} -y install haveged", 300;
|
|
||||||
assert_script_run 'systemctl start haveged.service';
|
|
||||||
# per ab, this should get us extra debug logging from the web UI
|
# per ab, this should get us extra debug logging from the web UI
|
||||||
# in error_log
|
# in error_log
|
||||||
assert_script_run 'mkdir -p /etc/ipa';
|
assert_script_run 'mkdir -p /etc/ipa';
|
||||||
@ -30,24 +52,49 @@ sub run {
|
|||||||
# per ab, this gets us more debugging for bind
|
# per ab, this gets us more debugging for bind
|
||||||
assert_script_run 'mkdir -p /etc/systemd/system/named-pkcs11.service.d';
|
assert_script_run 'mkdir -p /etc/systemd/system/named-pkcs11.service.d';
|
||||||
assert_script_run 'printf "[Service]\nEnvironment=OPTIONS=-d5\n" > /etc/systemd/system/named-pkcs11.service.d/debug.conf';
|
assert_script_run 'printf "[Service]\nEnvironment=OPTIONS=-d5\n" > /etc/systemd/system/named-pkcs11.service.d/debug.conf';
|
||||||
# First install the necessary packages
|
# Based on the major version, install FreeIPA
|
||||||
assert_script_run "dnf -y groupinstall freeipa-server", 600;
|
assert_script_run "$ipa_install_cmd", 600;
|
||||||
# configure the firewall
|
# Enable all the firewall services as needed per major version
|
||||||
for my $service (qw(freeipa-ldap freeipa-ldaps dns)) {
|
for my $service (@ipa_firewall_services) {
|
||||||
assert_script_run "firewall-cmd --permanent --add-service $service";
|
assert_script_run "firewall-cmd --permanent --add-service $service";
|
||||||
}
|
}
|
||||||
assert_script_run "systemctl restart firewalld.service";
|
assert_script_run "systemctl restart firewalld.service";
|
||||||
# deploy the server
|
# deploy the server
|
||||||
my $args = "-U --auto-forwarders --realm=TEST.OPENQA.ROCKYLINUX.ORG --domain=test.openqa.rockylinux.org --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap";
|
assert_script_run "ipa-server-install $ipa_install_args", 1200;
|
||||||
assert_script_run "ipa-server-install $args", 1200;
|
|
||||||
# enable and start the systemd service
|
# enable and start the systemd service
|
||||||
assert_script_run "systemctl enable ipa.service";
|
assert_script_run "systemctl enable ipa.service";
|
||||||
assert_script_run "systemctl start ipa.service", 300;
|
assert_script_run "systemctl start ipa.service", 300;
|
||||||
|
|
||||||
# kinit as admin
|
# kinit as admin
|
||||||
assert_script_run 'echo "monkeys123" | kinit admin';
|
assert_script_run "echo '$ipa_admin_password' | kinit admin";
|
||||||
# set up an OTP for client001 enrolment (it will enrol with a kickstart)
|
# set up an OTP for client001 enrolment (this should enroll by kickstart or another way)
|
||||||
assert_script_run 'ipa host-add client001.test.openqa.rockylinux.org --password=monkeys --force';
|
assert_script_run "ipa host-add client001.$ipa_domain --password=monkeys --force";
|
||||||
|
############################################################################
|
||||||
|
# Testing kerb services
|
||||||
|
assert_script_run "ipa service-add testservice/$ipa_hostname";
|
||||||
|
assert_script_run "ipa-getkeytab -s $ipa_hostname -p testservice/$ipa_hostname";
|
||||||
|
validate_script_output 'klist -k /tmp/testservice.keytab', sub { $_ =~ m/testservice\/$ipa_hostname/ };
|
||||||
|
# This is commented for now. We need a while loop that watches for ipa-getcert list -r to become empty.
|
||||||
|
#assert_script_run "ipa-getcert request -K testservice/$ipa_hostname -D $ipa_hostname -f /etc/pki/tls/certs/testservice.pki -k /etc/pki/tls/private/testservice.key";
|
||||||
|
#validate_script_output "ipa-getcert list -r | sed -n '/Request ID/,/auto-renew: yes/p'", sub { $_ =~ m// };
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
# Testing DNS
|
||||||
|
assert_script_run "ipa dnszone-add --name-server=$ipa_hostname. --admin-email=hostmaster.testzone.$ipa_domain. testzone.$ipa_domain";
|
||||||
|
sleep(5);
|
||||||
|
# ensure subdomain was made
|
||||||
|
validate_script_output "dig \@localhost SOA testzone.$ipa_domain", sub { $_ =~ m/status: NOERROR/ };
|
||||||
|
# make test records with CNAME
|
||||||
|
assert_script_run "ipa dnsrecord-add $ipa_domain testrecord --cname-hostname=onyxtest";
|
||||||
|
# validate it works
|
||||||
|
validate_script_output "dig \@localhost CNAME testrecord.$ipa_domain", sub { $_ =~ m/status: NOERROR/ };
|
||||||
|
# make test records with CNAME in subdomain
|
||||||
|
assert_script_run "ipa dnsrecord-add testzone.$ipa_domain testrecord --cname-hostname=onyxtest.$ipa_domain";
|
||||||
|
# validate it works
|
||||||
|
validate_script_output "dig \@localhost CNAME testrecord.testzone.$ipa_domain", sub { $_ =~ m/status: NOERROR/ };
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
# User Accounts + HBAC + SUDO
|
||||||
# create two user accounts, test1 and test2
|
# create two user accounts, test1 and test2
|
||||||
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
|
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
|
||||||
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
|
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
|
||||||
@ -61,13 +108,24 @@ sub run {
|
|||||||
assert_script_run 'ipa pwpolicy-mod --minlife=0';
|
assert_script_run 'ipa pwpolicy-mod --minlife=0';
|
||||||
# magic voodoo crap to allow reverse DNS client sync to work
|
# magic voodoo crap to allow reverse DNS client sync to work
|
||||||
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
|
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
|
||||||
assert_script_run 'ipa dnszone-mod test.openqa.rockylinux.org. --allow-sync-ptr=TRUE';
|
assert_script_run "ipa dnszone-mod $ipa_domain. --allow-sync-ptr=TRUE";
|
||||||
# kinit as each user and set a new password
|
# kinit as each user and set a new password
|
||||||
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@TEST.OPENQA.ROCKYLINUX.ORG';
|
assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test1\@$ipa_realm";
|
||||||
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@TEST.OPENQA.ROCKYLINUX.ORG';
|
assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test2\@$ipa_realm";
|
||||||
# we're ready for children to enrol, now
|
|
||||||
|
# add a sudo rule
|
||||||
|
assert_script_run 'ipa sudorule-add testrule --desc="Test rule in IPA" --hostcat=all --cmdcat=all --runasusercat=all --runasgroupcat=all';
|
||||||
|
assert_script_run 'ipa sudorule-add-user testrule --users="test1"';
|
||||||
|
validate_script_output 'ipa sudorule-show testrule', sub { $_ =~ m/Rule name: testrule/ };
|
||||||
|
validate_script_output 'ipa sudorule-show testrule', sub { $_ =~ m/Users: test1/ };
|
||||||
|
# This may fail - Invalidate sudo cache and check test1's sudo perms
|
||||||
|
assert_script_run 'sss_cache -R';
|
||||||
|
validate_script_output 'sudo -l -U test1', sub { $_ =~ m/test1 may run the following commands/ };
|
||||||
|
|
||||||
|
# we're ready for children to enroll, now
|
||||||
mutex_create("freeipa_ready");
|
mutex_create("freeipa_ready");
|
||||||
# if upgrade test, wait for children to enrol before upgrade
|
# This generally applies to Fedora upgrades. We don't perform upgrades in EL
|
||||||
|
# but we will leave this here.
|
||||||
if (get_var("UPGRADE")) {
|
if (get_var("UPGRADE")) {
|
||||||
my $children = get_children();
|
my $children = get_children();
|
||||||
my $child_id = (keys %$children)[0];
|
my $child_id = (keys %$children)[0];
|
||||||
|
Loading…
Reference in New Issue
Block a user