2016-05-04 18:53:11 +00:00
|
|
|
use base "installedtest";
|
|
|
|
use strict;
|
|
|
|
use testapi;
|
|
|
|
use lockapi;
|
|
|
|
use mmapi;
|
2017-01-18 07:15:44 +00:00
|
|
|
use tapnet;
|
|
|
|
use utils;
|
2016-05-04 18:53:11 +00:00
|
|
|
|
2023-05-17 21:03:44 +00:00
|
|
|
# Adapted from Fedora's OpenQA tests, with some modifications. This will need
|
|
|
|
# to be maintained per major version as necessary.
|
|
|
|
# label@rockylinux.org
|
|
|
|
|
|
|
|
use feature "switch";
|
|
|
|
|
2016-05-04 18:53:11 +00:00
|
|
|
sub run {
|
consolidate login waits, use postinstall not entrypoint for base
Summary:
I started out wanting to fix an issue I noticed today where
graphical upgrade tests were failing because they didn't wait
for the graphical login screen properly; the test was sitting
at the 'full Fedora logo' state of plymouth for a long time,
so the current boot_to_login_screen's wait_still_screen was
triggered by it and the function wound up failing on the
assert_screen, because it was still some time before the real
login screen appeared.
So I tweaked the boot_to_login_screen implementation to work
slightly differently (look for a login screen match, *then* -
if we're dealing with a graphical login - wait_still_screen
to defeat the 'old GPU buffer showing login screen' problem
and assert the login screen again). But while working on it,
I figured we really should consolidate all the various places
that handle the bootloader -> login, we were doing it quite
differently in all sorts of different places. And as part of
that, I converted the base tests to use POSTINSTALL (and thus
go through the shared _wait_login tests) instead of handling
boot themselves. As part of *that*, I tweaked main.pm to not
require all POSTINSTALL tests have the _postinstall suffix on
their names, as it really doesn't make sense, and renamed the
tests.
Test Plan: Run all tests, see if they work.
Reviewers: jskladan, garretraziel
Reviewed By: garretraziel
Subscribers: tflink
Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D1015
2016-09-27 18:48:15 +00:00
|
|
|
my $self = shift;
|
2023-05-17 21:03:44 +00:00
|
|
|
my $version_major = get_version_major;
|
|
|
|
my $relnum = get_release_number;
|
|
|
|
my $ipa_hostname = script_output 'hostname';
|
|
|
|
my $ipa_install_cmd;
|
|
|
|
my @ipa_firewall_services;
|
|
|
|
my $ipa_domain = 'test.openqa.rockylinux.org';
|
|
|
|
my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG';
|
|
|
|
my $ipa_admin_password = 'b1U3OnyX!';
|
|
|
|
my $ipa_reverse_zone = '2.16.172.in-addr.arpa';
|
|
|
|
my $ipa_install_args = "-U --auto-forwarders --realm=$ipa_realm --domain=$ipa_domain --ds-password=$ipa_admin_password --admin-password=$ipa_admin_password --setup-dns --reverse-zone=$ipa_reverse_zone --allow-zone-overlap";
|
|
|
|
given ($version_major) {
|
|
|
|
when ('8') {
|
|
|
|
$ipa_install_cmd = 'dnf --assumeyes module install idm:DL1/{dns,client,server,common}';
|
|
|
|
@ipa_firewall_services = qw(http https kerberos kpasswd ldap ldaps dns);
|
|
|
|
}
|
|
|
|
when ('9') {
|
|
|
|
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
|
|
|
|
@ipa_firewall_services = qw(freeipa-4 dns);
|
|
|
|
}
|
|
|
|
default {
|
|
|
|
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
|
|
|
|
@ipa_firewall_services = qw(freeipa-4 dns);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-08-21 02:03:21 +00:00
|
|
|
# switch to TTY3 for both, graphical and console tests
|
|
|
|
$self->root_console(tty => 3);
|
|
|
|
|
|
|
|
if (get_var("ROOT_PASSWORD")) {
|
|
|
|
console_login(user => "root", password => get_var("ROOT_PASSWORD"));
|
|
|
|
}
|
|
|
|
|
2023-05-17 21:03:44 +00:00
|
|
|
# We need entropy. Install rng-tools and start it up. Fedora uses haveged
|
|
|
|
# but Rocky Linux does not have it unless EPEL is used.
|
|
|
|
assert_script_run "dnf --assumeyes install rng-tools", 300;
|
|
|
|
assert_script_run 'systemctl start rngd.service';
|
2018-03-21 18:34:45 +00:00
|
|
|
# per ab, this should get us extra debug logging from the web UI
|
|
|
|
# in error_log
|
|
|
|
assert_script_run 'mkdir -p /etc/ipa';
|
|
|
|
assert_script_run 'printf "[global]\ndebug = True\n" > /etc/ipa/server.conf';
|
2019-05-02 01:59:52 +00:00
|
|
|
# per ab, this gets us more debugging for bind
|
|
|
|
assert_script_run 'mkdir -p /etc/systemd/system/named-pkcs11.service.d';
|
|
|
|
assert_script_run 'printf "[Service]\nEnvironment=OPTIONS=-d5\n" > /etc/systemd/system/named-pkcs11.service.d/debug.conf';
|
2023-05-17 21:03:44 +00:00
|
|
|
# Based on the major version, install FreeIPA
|
|
|
|
assert_script_run "$ipa_install_cmd", 600;
|
|
|
|
# Enable all the firewall services as needed per major version
|
|
|
|
for my $service (@ipa_firewall_services) {
|
2020-01-10 22:25:45 +00:00
|
|
|
assert_script_run "firewall-cmd --permanent --add-service $service";
|
add a cockpit realmd FreeIPA join test
Summary:
This requires a few other changes:
* turn clone_host_resolv into clone_host_file, letting you clone
any given host file (cloning /etc/hosts seems to make both
server deployment and client enrolment faster/more reliable)
* allow loading of multiple POSTINSTALL tests (so we can share
the freeipa_client_postinstall test). Note this is compatible,
existing uses will work fine
* move initial password change for the IPA test users into the
server deployment test (so the client tests don't conflict over
doing that)
* add GRUB_POSTINSTALL, for specifying boot parameters for boot of
the installed system, and make it work by tweaking _console_wait
_login (doesn't work for _graphical_wait_login yet, as I didn't
need that)
* make the static networking config for tap tests into a library
function so the tests can share it
* handle ABRT problem dirs showing up in /var/spool/abrt as well
as /var/tmp/abrt (because the enrol attempt hits #1330766 and
the crash report shows up in /var/spool/abrt, don't ask me why
the difference, I just work here)
* specify the DNS servers from the worker host's resolv.conf as
the forwarders for the FreeIPA server when deploying it; if we
don't do this, rolekit defaults to using the root servers as
forwarders(!) and thus we get the public, not phx2-appropriate,
results for e.g. mirrors.fedoraproject.org, some of which the
workers can't reach, so PackageKit package install always fails
(boy, was it fun figuring THAT mess out)
Even after all that, the test still doesn't actually pass, but
I'm reasonably confident this is because it's hitting actual bugs,
not because it's broken. It runs into #1330766 nearly every time
(I think I saw *one* time the enrolment actually succeeded), and
seems to run into a subsequent bug I hadn't seen before when
trying to work around that by trying the join again (see
https://bugzilla.redhat.com/show_bug.cgi?id=1330766#c37 ).
Test Plan:
Run the test, see what happens. If you're really lucky,
it'll actually pass. But you'll probably run into #1330766#c37,
I'm mostly posting for comment. You'll need a tap-capable openQA
instance to test this.
Reviewers: jskladan, garretraziel
Reviewed By: garretraziel
Subscribers: tflink
Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D880
2016-06-07 20:00:39 +00:00
|
|
|
}
|
2020-01-10 22:25:45 +00:00
|
|
|
assert_script_run "systemctl restart firewalld.service";
|
|
|
|
# deploy the server
|
2023-05-17 21:03:44 +00:00
|
|
|
assert_script_run "ipa-server-install $ipa_install_args", 1200;
|
2020-01-10 22:25:45 +00:00
|
|
|
# enable and start the systemd service
|
|
|
|
assert_script_run "systemctl enable ipa.service";
|
|
|
|
assert_script_run "systemctl start ipa.service", 300;
|
2018-07-09 22:43:05 +00:00
|
|
|
|
2016-05-04 18:53:11 +00:00
|
|
|
# kinit as admin
|
2023-05-17 21:03:44 +00:00
|
|
|
assert_script_run "echo '$ipa_admin_password' | kinit admin";
|
|
|
|
# set up an OTP for client001 enrolment (this should enroll by kickstart or another way)
|
|
|
|
assert_script_run "ipa host-add client001.$ipa_domain --password=monkeys --force";
|
|
|
|
############################################################################
|
|
|
|
# Testing kerb services
|
|
|
|
assert_script_run "ipa service-add testservice/$ipa_hostname";
|
|
|
|
assert_script_run "ipa-getkeytab -s $ipa_hostname -p testservice/$ipa_hostname";
|
|
|
|
validate_script_output 'klist -k /tmp/testservice.keytab', sub { $_ =~ m/testservice\/$ipa_hostname/ };
|
|
|
|
# This is commented for now. We need a while loop that watches for ipa-getcert list -r to become empty.
|
2023-08-21 02:03:21 +00:00
|
|
|
#assert_script_run "ipa-getcert request -K testservice/$ipa_hostname -D $ipa_hostname -f /etc/pki/tls/certs/testservice.pki -k /etc/pki/tls/private/testservice.key";
|
2023-05-17 21:03:44 +00:00
|
|
|
#validate_script_output "ipa-getcert list -r | sed -n '/Request ID/,/auto-renew: yes/p'", sub { $_ =~ m// };
|
|
|
|
|
|
|
|
############################################################################
|
|
|
|
# Testing DNS
|
|
|
|
assert_script_run "ipa dnszone-add --name-server=$ipa_hostname. --admin-email=hostmaster.testzone.$ipa_domain. testzone.$ipa_domain";
|
|
|
|
sleep(5);
|
|
|
|
# ensure subdomain was made
|
|
|
|
validate_script_output "dig \@localhost SOA testzone.$ipa_domain", sub { $_ =~ m/status: NOERROR/ };
|
|
|
|
# make test records with CNAME
|
|
|
|
assert_script_run "ipa dnsrecord-add $ipa_domain testrecord --cname-hostname=onyxtest";
|
|
|
|
# validate it works
|
|
|
|
validate_script_output "dig \@localhost CNAME testrecord.$ipa_domain", sub { $_ =~ m/status: NOERROR/ };
|
|
|
|
# make test records with CNAME in subdomain
|
|
|
|
assert_script_run "ipa dnsrecord-add testzone.$ipa_domain testrecord --cname-hostname=onyxtest.$ipa_domain";
|
|
|
|
# validate it works
|
|
|
|
validate_script_output "dig \@localhost CNAME testrecord.testzone.$ipa_domain", sub { $_ =~ m/status: NOERROR/ };
|
|
|
|
|
|
|
|
############################################################################
|
|
|
|
# User Accounts + HBAC + SUDO
|
2016-05-04 18:53:11 +00:00
|
|
|
# create two user accounts, test1 and test2
|
|
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
|
|
|
|
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
|
|
|
|
# add a rule allowing access to all hosts and services
|
|
|
|
assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all';
|
|
|
|
# add test1 (but not test2) to the rule
|
|
|
|
assert_script_run 'ipa hbacrule-add-user testrule --users=test1';
|
|
|
|
# disable the default 'everyone everywhere' rule
|
|
|
|
assert_script_run 'ipa hbacrule-disable allow_all';
|
add QA:Testcase_FreeIPA_password_change test
Summary:
again, added as a non-fatal module for realmd_join_cockpit as
it's convenient to do it here. Also abstract a couple of ipa
bits into a new exporter package in the style of SUSE's
mm_network, rather than using ill-fitting class inheritance as
we have before - we should probably convert our existing class
based stuff to work this way.
Also a few minor tweaks and clean-ups of the other tests:
The path in console_login() where we detect login of a regular
user when we want root or vice versa and log out was actually
broken because it would 'wait' for the result of the 'exit'
command, which obviously doesn't work (as it relies on running
another command afterwards, and we're no longer at a shell).
This commit no longer actually uses that path, but I spotted
the bug with an earlier version of this which did, and we may
as well keep the fix.
/var/log/lastlog is an apparently-extremely-large sparse file.
A couple of times it seemed to cause tar to run very slowly
while creating the /var/log archive for upload on failure. It's
no use for diagnosing bugs, so we may as well exclude it from
the archive.
I caught cockpit webUI login failing one time when testing the
test, so threw in a wait_still_screen before starting to type
the URL, as we have for the FreeIPA webUI.
I also caught a timing issue with the openQA webUI policy add
step; the test flips from the Users screen to the HBAC screen
then clicks the 'add' button, but there's actually an identical
'add' button on *both* screens, so it could wind up trying to
click the one on the Users screen instead, if the web UI took
a few milliseconds to switch. So we throw in a needle match to
make sure we're actually on the HBAC screen before clicking the
button.
We make the freeipa_webui test a 'milestone' so that if the
new test fails, restoring to the last-known-good milestone
doesn't take so long; it actually seems like openQA can get
confused and try to cancel the test if restoring the milestone
takes a *really* long time, and wind up with a zombie qemu
process, which isn't good. This seems to avoid that happening.
Test Plan:
In the simple case, just run all the FreeIPA-related
tests on Fedora 24 (as Rawhide is broken) and make sure they all
work properly. To get a bit more advanced you can throw in an
`assert_script_run 'false'` in either of the non-fatal tests to
break it and make sure things go properly when that happens (the
last milestone should be restored - which should be right after
freeipa_webui, sitting at tty1 - and run properly; things are
set up so each test starts with root logged in on tty1).
Reviewers: jskladan, garretraziel
Reviewed By: garretraziel
Subscribers: tflink
Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D935
2016-08-03 20:21:12 +00:00
|
|
|
# allow immediate password changes (as we need to test this)
|
|
|
|
assert_script_run 'ipa pwpolicy-mod --minlife=0';
|
2018-07-18 22:53:54 +00:00
|
|
|
# magic voodoo crap to allow reverse DNS client sync to work
|
|
|
|
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
|
2023-05-17 21:03:44 +00:00
|
|
|
assert_script_run "ipa dnszone-mod $ipa_domain. --allow-sync-ptr=TRUE";
|
add a cockpit realmd FreeIPA join test
Summary:
This requires a few other changes:
* turn clone_host_resolv into clone_host_file, letting you clone
any given host file (cloning /etc/hosts seems to make both
server deployment and client enrolment faster/more reliable)
* allow loading of multiple POSTINSTALL tests (so we can share
the freeipa_client_postinstall test). Note this is compatible,
existing uses will work fine
* move initial password change for the IPA test users into the
server deployment test (so the client tests don't conflict over
doing that)
* add GRUB_POSTINSTALL, for specifying boot parameters for boot of
the installed system, and make it work by tweaking _console_wait
_login (doesn't work for _graphical_wait_login yet, as I didn't
need that)
* make the static networking config for tap tests into a library
function so the tests can share it
* handle ABRT problem dirs showing up in /var/spool/abrt as well
as /var/tmp/abrt (because the enrol attempt hits #1330766 and
the crash report shows up in /var/spool/abrt, don't ask me why
the difference, I just work here)
* specify the DNS servers from the worker host's resolv.conf as
the forwarders for the FreeIPA server when deploying it; if we
don't do this, rolekit defaults to using the root servers as
forwarders(!) and thus we get the public, not phx2-appropriate,
results for e.g. mirrors.fedoraproject.org, some of which the
workers can't reach, so PackageKit package install always fails
(boy, was it fun figuring THAT mess out)
Even after all that, the test still doesn't actually pass, but
I'm reasonably confident this is because it's hitting actual bugs,
not because it's broken. It runs into #1330766 nearly every time
(I think I saw *one* time the enrolment actually succeeded), and
seems to run into a subsequent bug I hadn't seen before when
trying to work around that by trying the join again (see
https://bugzilla.redhat.com/show_bug.cgi?id=1330766#c37 ).
Test Plan:
Run the test, see what happens. If you're really lucky,
it'll actually pass. But you'll probably run into #1330766#c37,
I'm mostly posting for comment. You'll need a tap-capable openQA
instance to test this.
Reviewers: jskladan, garretraziel
Reviewed By: garretraziel
Subscribers: tflink
Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D880
2016-06-07 20:00:39 +00:00
|
|
|
# kinit as each user and set a new password
|
2023-05-17 21:03:44 +00:00
|
|
|
assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test1\@$ipa_realm";
|
|
|
|
assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test2\@$ipa_realm";
|
|
|
|
|
|
|
|
# add a sudo rule
|
|
|
|
assert_script_run 'ipa sudorule-add testrule --desc="Test rule in IPA" --hostcat=all --cmdcat=all --runasusercat=all --runasgroupcat=all';
|
|
|
|
assert_script_run 'ipa sudorule-add-user testrule --users="test1"';
|
|
|
|
validate_script_output 'ipa sudorule-show testrule', sub { $_ =~ m/Rule name: testrule/ };
|
|
|
|
validate_script_output 'ipa sudorule-show testrule', sub { $_ =~ m/Users: test1/ };
|
|
|
|
# This may fail - Invalidate sudo cache and check test1's sudo perms
|
|
|
|
assert_script_run 'sss_cache -R';
|
|
|
|
validate_script_output 'sudo -l -U test1', sub { $_ =~ m/test1 may run the following commands/ };
|
|
|
|
|
|
|
|
# we're ready for children to enroll, now
|
Test upgrade of FreeIPA server and client deployment
Summary:
This adds an upgrade variant of the FreeIPA tests, with only
the simplest client enrolment (sssd) for now. The server test
starts from the N-1 release and deploys the domain controller
role. The client test similarly starts from the N-1 release
and, when the server is deployed, enrols as a domain client.
Then the server upgrades itself, while the client waits (as the
server is its name server). Then the client upgrades itself,
while the server does some self-checks. The server then waits
for the client to do its checks before decommissioning itself,
as usual. So, summary: *deployment* of both server and client
occurs on N-1, then both are upgraded, then the actual *checks*
occur on N.
In my testing, this all more or less works, except the role
decommission step fails. This failure seems to be a genuine one
so far as I can tell; I intend to file a bug for it soon.
Test Plan:
Run the new tests, check they work. Run the existing
FreeIPA tests (both the compose and the update variants), check
they both behave the same.
Reviewers: jsedlak, jskladan
Reviewed By: jsedlak
Subscribers: tflink
Differential Revision: https://phab.qa.fedoraproject.org/D1204
2017-05-17 19:39:45 +00:00
|
|
|
mutex_create("freeipa_ready");
|
2023-05-17 21:03:44 +00:00
|
|
|
# This generally applies to Fedora upgrades. We don't perform upgrades in EL
|
|
|
|
# but we will leave this here.
|
Test upgrade of FreeIPA server and client deployment
Summary:
This adds an upgrade variant of the FreeIPA tests, with only
the simplest client enrolment (sssd) for now. The server test
starts from the N-1 release and deploys the domain controller
role. The client test similarly starts from the N-1 release
and, when the server is deployed, enrols as a domain client.
Then the server upgrades itself, while the client waits (as the
server is its name server). Then the client upgrades itself,
while the server does some self-checks. The server then waits
for the client to do its checks before decommissioning itself,
as usual. So, summary: *deployment* of both server and client
occurs on N-1, then both are upgraded, then the actual *checks*
occur on N.
In my testing, this all more or less works, except the role
decommission step fails. This failure seems to be a genuine one
so far as I can tell; I intend to file a bug for it soon.
Test Plan:
Run the new tests, check they work. Run the existing
FreeIPA tests (both the compose and the update variants), check
they both behave the same.
Reviewers: jsedlak, jskladan
Reviewed By: jsedlak
Subscribers: tflink
Differential Revision: https://phab.qa.fedoraproject.org/D1204
2017-05-17 19:39:45 +00:00
|
|
|
if (get_var("UPGRADE")) {
|
|
|
|
my $children = get_children();
|
|
|
|
my $child_id = (keys %$children)[0];
|
|
|
|
mutex_lock('client_enrolled', $child_id);
|
|
|
|
mutex_unlock('client_enrolled');
|
|
|
|
}
|
2016-05-04 18:53:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
sub test_flags {
|
2023-02-12 22:59:37 +00:00
|
|
|
return {fatal => 1};
|
2016-05-04 18:53:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
1;
|
|
|
|
|
|
|
|
# vim: set sw=4 et:
|