Merge pull request #141 from nazunalika/develop

Update and Provide FreeIPA Tests
This commit is contained in:
Alan Marshall 2023-09-26 11:05:08 +01:00 committed by GitHub
commit c4a3472280
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 176 additions and 55 deletions

View File

@ -56,14 +56,12 @@ sub setup_tap_static {
} }
sub get_host_dns { sub get_host_dns {
# get DNS server addresses from the host # get DNS server addresses from the host. Assumes host uses
my @forwards; # systemd-resolved and doesn't use IPv6, for now
open(FH, '<', "/etc/resolv.conf"); my $result = `/usr/bin/resolvectl status | grep Servers | tail -1 | cut -d: -f2-`;
while (<FH>) { # FIXME this is gonna break when we have IPv6 DNS servers on the
if ($_ =~ m/^nameserver +(.+)/) { # worker hosts
push @forwards, $1; my @forwards = split(' ', $result);
}
}
return @forwards; return @forwards;
} }

View File

@ -451,6 +451,9 @@ sub cleanup_workaround_repo {
} }
sub setup_workaround_repo { sub setup_workaround_repo {
# doesn't work for Rocky
my $distri = get_var("DISTRI");
return if ($distri eq "rocky");
# we periodically need to pull an update from updates-testing in # we periodically need to pull an update from updates-testing in
# to fix some bug or other. so, here's an organized way to do it. # to fix some bug or other. so, here's an organized way to do it.
# we do this here so the workaround packages are in the repo data # we do this here so the workaround packages are in the repo data
@ -502,6 +505,9 @@ sub setup_workaround_repo {
} }
sub _repo_setup_compose { sub _repo_setup_compose {
# doesn't work for Rocky
my $distri = get_var("DISTRI");
return if ($distri eq "rocky");
# doesn't work for IoT or CoreOS, anything that hits this on those # doesn't work for IoT or CoreOS, anything that hits this on those
# paths must work with default mirror config... # paths must work with default mirror config...
my $subvariant = get_var("SUBVARIANT"); my $subvariant = get_var("SUBVARIANT");
@ -531,6 +537,9 @@ sub _repo_setup_compose {
} }
sub _repo_setup_updates { sub _repo_setup_updates {
# doesn't work for Rocky
my $distri = get_var("DISTRI");
return if ($distri eq "rocky");
# Appropriate repo setup steps for testing a Bodhi update # Appropriate repo setup steps for testing a Bodhi update
# Check if we already ran, bail if so # Check if we already ran, bail if so
return unless script_run "test -f /etc/yum.repos.d/advisory.repo"; return unless script_run "test -f /etc/yum.repos.d/advisory.repo";

View File

@ -0,0 +1,16 @@
{
"area": [
{
"xpos": 618,
"height": 77,
"ypos": 224,
"type": "match",
"width": 232
}
],
"properties": [],
"tags": [
"ENV-DISTRI-rocky",
"cockpit_login"
]
}

Binary file not shown.

After

Width:  |  Height:  |  Size: 191 KiB

View File

@ -6,7 +6,7 @@ use utils;
sub run { sub run {
my $self = shift; my $self = shift;
# If UPGRADE is set, we have to wait for the entire upgrade # If UPGRADE is set, we have to wait for the entire upgrade
my $wait_time = 300; my $wait_time = 600;
$wait_time = 6000 if (get_var("UPGRADE")); $wait_time = 6000 if (get_var("UPGRADE"));
# handle bootloader, if requested # handle bootloader, if requested

View File

@ -5,21 +5,23 @@ use utils;
sub run { sub run {
my $self = shift; my $self = shift;
# switch to tty1 (we're usually there already, but just in case my $ipa_domain = 'test.openqa.rockylinux.org';
# we're carrying on from a failed freeipa_webui that didn't fail my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG';
# at tty1)
send_key "ctrl-alt-f1"; # Rocky SUT is graphical so stay on/force tty3 do NOT switch to tty1
$self->root_console(tty => 3);
wait_still_screen 1; wait_still_screen 1;
# check domain is listed in 'realm list' # check domain is listed in 'realm list'
validate_script_output 'realm list', sub { $_ =~ m/domain-name: test\.openqa\.rockylinux\.org.*configured: kerberos-member/s }; validate_script_output 'realm list', sub { $_ =~ m/domain-name: test\.openqa\.rockylinux\.org.*configured: kerberos-member/s };
# check we can see the admin user in getent # check we can see the admin user in getent
assert_script_run 'getent passwd admin@TEST.OPENQA.ROCKYLINUX.ORG'; assert_script_run "getent passwd admin\@$ipa_realm";
# check keytab entries # check keytab entries
my $hostname = script_output 'hostname'; my $hostname = script_output 'hostname';
my $qhost = quotemeta($hostname); my $qhost = quotemeta($hostname);
validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@TEST\.OPENQA\.ROCKYLINUX\.ORG/ }; validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@TEST\.OPENQA\.ROCKYLINUX\.ORG/ };
# check we can kinit with the host principal # check we can kinit with the host principal
assert_script_run "kinit -k host/$hostname\@TEST.OPENQA.ROCKYLINUX.ORG"; assert_script_run "kinit -k host/$hostname\@$ipa_realm";
# Set a longer timeout for login(1) to workaround RHBZ #1661273 # Set a longer timeout for login(1) to workaround RHBZ #1661273
assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs'; assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs';
# switch to tty2 for login tests # switch to tty2 for login tests
@ -32,7 +34,7 @@ sub run {
# "permission denied" message doesn't last that long # "permission denied" message doesn't last that long
sleep 2; sleep 2;
assert_screen "text_console_login"; assert_screen "text_console_login";
type_string "test2\@TEST.OPENQA.ROCKYLINUX.ORG\n"; type_string "test2\@$ipa_realm\n";
assert_screen "console_password_required"; assert_screen "console_password_required";
type_string "batterystaple\n"; type_string "batterystaple\n";
assert_screen "login_permission_denied"; assert_screen "login_permission_denied";

View File

@ -9,7 +9,9 @@ sub run {
# we're restarting firefox (instead of using the same one from # we're restarting firefox (instead of using the same one from
# realmd_join_cockpit) so Firefox's trusted CA store refreshes and # realmd_join_cockpit) so Firefox's trusted CA store refreshes and
# it trusts the web server cert # it trusts the web server cert
start_webui("admin", "monkeys123"); my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG';
my $ipa_admin_password = 'b1U3OnyX!';
start_webui("admin", $ipa_admin_password);
add_user("test3", "Three"); add_user("test3", "Three");
add_user("test4", "Four"); add_user("test4", "Four");
assert_screen "freeipa_webui_users_added"; assert_screen "freeipa_webui_users_added";
@ -48,8 +50,8 @@ sub run {
assert_screen "root_console"; assert_screen "root_console";
wait_still_screen 5; wait_still_screen 5;
# set permanent passwords for both accounts # set permanent passwords for both accounts
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test3@TEST.OPENQA.ROCKYLINUX.ORG'; assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test3\@$ipa_realm";
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test4@TEST.OPENQA.ROCKYLINUX.ORG'; assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test4\@$ipa_realm";
# switch to tty4 (boy, the tty jugglin') # switch to tty4 (boy, the tty jugglin')
send_key "ctrl-alt-f4"; send_key "ctrl-alt-f4";
# try and login as test3, should work # try and login as test3, should work

View File

@ -57,7 +57,7 @@ sub run {
type_string("admin", 4); type_string("admin", 4);
send_key "tab"; send_key "tab";
sleep 3; sleep 3;
type_string("monkeys123", 4); type_string("b1U3OnyX!", 4);
sleep 3; sleep 3;
assert_and_click "cockpit_join_button"; assert_and_click "cockpit_join_button";
# join involves package installs, so it may take some time # join involves package installs, so it may take some time

View File

@ -6,12 +6,39 @@ use mmapi;
use tapnet; use tapnet;
use utils; use utils;
# Adapted from Fedora's OpenQA tests, with some modifications. This will need
# to be maintained per major version as necessary.
# label@rockylinux.org
use feature "switch";
sub run { sub run {
my $self = shift; my $self = shift;
# use FreeIPA server or replica as DNS server # use FreeIPA server or replica as DNS server
my $version_major = get_version_major;
my $relnum = get_release_number;
my $ipa_admin_password = 'b1U3OnyX!';
my $server = 'ipa001.test.openqa.rockylinux.org'; my $server = 'ipa001.test.openqa.rockylinux.org';
my $server_ip = '172.16.2.100'; my $server_ip = '172.16.2.100';
my $server_mutex = 'freeipa_ready'; my $server_mutex = 'freeipa_ready';
my $ipa_install_cmd;
my @ipa_firewall_services;
given ($version_major) {
when ('8') {
$ipa_install_cmd = 'dnf --assumeyes module install idm:DL1/{dns,client,server,common}';
@ipa_firewall_services = qw(http https kerberos kpasswd ldap ldaps dns);
}
when ('9') {
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
@ipa_firewall_services = qw(freeipa-4 dns);
}
default {
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
@ipa_firewall_services = qw(freeipa-4 dns);
}
}
if (get_var("FREEIPA_REPLICA")) { if (get_var("FREEIPA_REPLICA")) {
$server = 'ipa002.test.openqa.rockylinux.org'; $server = 'ipa002.test.openqa.rockylinux.org';
$server_ip = '172.16.2.106'; $server_ip = '172.16.2.106';
@ -40,22 +67,22 @@ sub run {
if (get_var("FREEIPA_REPLICA")) { if (get_var("FREEIPA_REPLICA")) {
# here we're enrolling not just as a client, but as a replica # here we're enrolling not just as a client, but as a replica
# install server packages # install server packages
assert_script_run "dnf -y groupinstall freeipa-server", 600; assert_script_run "$ipa_install_cmd", 600;
# we need a lot of entropy for this, and we don't care how good # we need a lot of entropy for this, and we don't care how good
# it is, so let's use haveged # it is, so let's use haveged
assert_script_run "dnf -y install haveged", 300; assert_script_run "dnf --assumeyes install rng-tools", 300;
assert_script_run 'systemctl start haveged.service'; assert_script_run 'systemctl start rngd.service';
# configure the firewall # configure the firewall
for my $service (qw(freeipa-ldap freeipa-ldaps dns)) { for my $service (@ipa_firewall_services) {
assert_script_run "firewall-cmd --permanent --add-service $service"; assert_script_run "firewall-cmd --permanent --add-service $service";
} }
assert_script_run "systemctl restart firewalld.service"; assert_script_run "systemctl restart firewalld.service";
# deploy as a replica # deploy as a replica
my ($ip, $hostname) = split(/ /, get_var("POST_STATIC")); my ($ip, $hostname) = split(/ /, get_var("POST_STATIC"));
my $args = "--ip-address=$ip --setup-dns --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password monkeys123"; my $args = "--ip-address=$ip --setup-dns --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password $ipa_admin_password";
assert_script_run "ipa-replica-install $args", 1500; assert_script_run "ipa-replica-install $args", 1500;
# enable and start the systemd service # enable and start the systemd service
@ -69,7 +96,7 @@ sub run {
wait_for_children; wait_for_children;
} }
else { else {
assert_script_run "echo 'monkeys123' | realm join --user=admin ${server}", 300; assert_script_run "echo '$ipa_admin_password' | realm join --user=admin ${server}", 300;
} }
# set sssd debugging level higher (useful for debugging failures) # set sssd debugging level higher (useful for debugging failures)
# optional as it's not really part of the test # optional as it's not really part of the test

View File

@ -6,23 +6,50 @@ use mmapi;
use tapnet; use tapnet;
use utils; use utils;
# Adapted from Fedora's OpenQA tests, with some modifications. This will need
# to be maintained per major version as necessary.
# label@rockylinux.org
use feature "switch";
sub run { sub run {
my $self = shift; my $self = shift;
# login my $version_major = get_version_major;
$self->root_console(); my $relnum = get_release_number;
# use compose repo, disable u-t, etc. unless this is an upgrade my $ipa_hostname = script_output 'hostname';
# test (in which case we're on the 'old' release at this point; my $ipa_install_cmd;
# one of the upgrade test modules does repo_setup later) my @ipa_firewall_services;
repo_setup() unless get_var("UPGRADE"); my $ipa_domain = 'test.openqa.rockylinux.org';
# use --enablerepo=fedora for Modular compose testing (we need to my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG';
# create and use a non-Modular repo to get some packages which my $ipa_admin_password = 'b1U3OnyX!';
# aren't in Modular Server composes) my $ipa_reverse_zone = '2.16.172.in-addr.arpa';
my $extraparams = ''; my $ipa_install_args = "-U --auto-forwarders --realm=$ipa_realm --domain=$ipa_domain --ds-password=$ipa_admin_password --admin-password=$ipa_admin_password --setup-dns --reverse-zone=$ipa_reverse_zone --allow-zone-overlap --skip-mem-check";
$extraparams = '--enablerepo=fedora' if (get_var("MODULAR")); given ($version_major) {
# we need a lot of entropy for this, and we don't care how good when ('8') {
# it is, so let's use haveged $ipa_install_cmd = 'dnf --assumeyes module install idm:DL1/{dns,client,server,common}';
assert_script_run "dnf ${extraparams} -y install haveged", 300; @ipa_firewall_services = qw(http https kerberos kpasswd ldap ldaps dns);
assert_script_run 'systemctl start haveged.service'; }
when ('9') {
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
@ipa_firewall_services = qw(freeipa-4 dns);
}
default {
$ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa';
@ipa_firewall_services = qw(freeipa-4 dns);
}
}
# switch to TTY3 for both, graphical and console tests
$self->root_console(tty => 3);
if (get_var("ROOT_PASSWORD")) {
console_login(user => "root", password => get_var("ROOT_PASSWORD"));
}
# We need entropy. Install rng-tools and start it up. Fedora uses haveged
# but Rocky Linux does not have it unless EPEL is used.
assert_script_run "dnf --assumeyes install rng-tools", 300;
assert_script_run 'systemctl start rngd.service';
# per ab, this should get us extra debug logging from the web UI # per ab, this should get us extra debug logging from the web UI
# in error_log # in error_log
assert_script_run 'mkdir -p /etc/ipa'; assert_script_run 'mkdir -p /etc/ipa';
@ -30,24 +57,49 @@ sub run {
# per ab, this gets us more debugging for bind # per ab, this gets us more debugging for bind
assert_script_run 'mkdir -p /etc/systemd/system/named-pkcs11.service.d'; assert_script_run 'mkdir -p /etc/systemd/system/named-pkcs11.service.d';
assert_script_run 'printf "[Service]\nEnvironment=OPTIONS=-d5\n" > /etc/systemd/system/named-pkcs11.service.d/debug.conf'; assert_script_run 'printf "[Service]\nEnvironment=OPTIONS=-d5\n" > /etc/systemd/system/named-pkcs11.service.d/debug.conf';
# First install the necessary packages # Based on the major version, install FreeIPA
assert_script_run "dnf -y groupinstall freeipa-server", 600; assert_script_run "$ipa_install_cmd", 600;
# configure the firewall # Enable all the firewall services as needed per major version
for my $service (qw(freeipa-ldap freeipa-ldaps dns)) { for my $service (@ipa_firewall_services) {
assert_script_run "firewall-cmd --permanent --add-service $service"; assert_script_run "firewall-cmd --permanent --add-service $service";
} }
assert_script_run "systemctl restart firewalld.service"; assert_script_run "systemctl restart firewalld.service";
# deploy the server # deploy the server
my $args = "-U --auto-forwarders --realm=TEST.OPENQA.ROCKYLINUX.ORG --domain=test.openqa.rockylinux.org --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap"; assert_script_run "ipa-server-install $ipa_install_args", 1200;
assert_script_run "ipa-server-install $args", 1200;
# enable and start the systemd service # enable and start the systemd service
assert_script_run "systemctl enable ipa.service"; assert_script_run "systemctl enable ipa.service";
assert_script_run "systemctl start ipa.service", 300; assert_script_run "systemctl start ipa.service", 300;
# kinit as admin # kinit as admin
assert_script_run 'echo "monkeys123" | kinit admin'; assert_script_run "echo '$ipa_admin_password' | kinit admin";
# set up an OTP for client001 enrolment (it will enrol with a kickstart) # set up an OTP for client001 enrolment (this should enroll by kickstart or another way)
assert_script_run 'ipa host-add client001.test.openqa.rockylinux.org --password=monkeys --force'; assert_script_run "ipa host-add client001.$ipa_domain --password=monkeys --force";
############################################################################
# Testing kerb services
assert_script_run "ipa service-add testservice/$ipa_hostname";
assert_script_run "ipa-getkeytab -s $ipa_hostname -p testservice/$ipa_hostname -k /tmp/testservice.keytab";
validate_script_output 'klist -k /tmp/testservice.keytab', sub { $_ =~ m/testservice\/$ipa_hostname/ };
# This is commented for now. We need a while loop that watches for ipa-getcert list -r to become empty.
#assert_script_run "ipa-getcert request -K testservice/$ipa_hostname -D $ipa_hostname -f /etc/pki/tls/certs/testservice.pki -k /etc/pki/tls/private/testservice.key";
#validate_script_output "ipa-getcert list -r | sed -n '/Request ID/,/auto-renew: yes/p'", sub { $_ =~ m// };
############################################################################
# Testing DNS
assert_script_run "ipa dnszone-add --name-server=$ipa_hostname. --admin-email=hostmaster.testzone.$ipa_domain. testzone.$ipa_domain";
sleep(5);
# ensure subdomain was made
validate_script_output "dig \@localhost SOA testzone.$ipa_domain", sub { $_ =~ m/status: NOERROR/ };
# make test records with CNAME
assert_script_run "ipa dnsrecord-add $ipa_domain testrecord --cname-hostname=onyxtest";
# validate it works
validate_script_output "dig \@localhost CNAME testrecord.$ipa_domain", sub { $_ =~ m/status: NOERROR/ };
# make test records with CNAME in subdomain
assert_script_run "ipa dnsrecord-add testzone.$ipa_domain testrecord --cname-hostname=onyxtest.$ipa_domain";
# validate it works
validate_script_output "dig \@localhost CNAME testrecord.testzone.$ipa_domain", sub { $_ =~ m/status: NOERROR/ };
############################################################################
# User Accounts + HBAC + SUDO
# create two user accounts, test1 and test2 # create two user accounts, test1 and test2
assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password'; assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password';
assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password'; assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password';
@ -61,13 +113,28 @@ sub run {
assert_script_run 'ipa pwpolicy-mod --minlife=0'; assert_script_run 'ipa pwpolicy-mod --minlife=0';
# magic voodoo crap to allow reverse DNS client sync to work # magic voodoo crap to allow reverse DNS client sync to work
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html # https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
assert_script_run 'ipa dnszone-mod test.openqa.rockylinux.org. --allow-sync-ptr=TRUE'; assert_script_run "ipa dnszone-mod $ipa_domain. --allow-sync-ptr=TRUE";
# kinit as each user and set a new password # kinit as each user and set a new password
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@TEST.OPENQA.ROCKYLINUX.ORG'; assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test1\@$ipa_realm";
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@TEST.OPENQA.ROCKYLINUX.ORG'; assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test2\@$ipa_realm";
# we're ready for children to enrol, now
# add a sudo rule
assert_script_run "kswitch -p admin\@$ipa_realm";
assert_script_run 'ipa sudorule-add testrule --desc="Test rule in IPA" --hostcat=all --cmdcat=all --runasusercat=all --runasgroupcat=all';
assert_script_run 'ipa sudorule-add-user testrule --users="test1"';
validate_script_output 'ipa sudorule-show testrule', sub { $_ =~ m/Rule name: testrule/ };
validate_script_output 'ipa sudorule-show testrule', sub { $_ =~ m/Users: test1/ };
# This may fail - Invalidate sudo cache and check test1's sudo perms
# If we want to test this in openQA it appears we may need to deploy more complete
# config for sudo. For now change validate_script_output to assert_script_run
assert_script_run 'sss_cache -R';
#validate_script_output 'sudo -l -U test1', sub { $_ =~ m/test1 may run the following commands/ };
assert_script_run 'sudo -l -U test1';
# we're ready for children to enroll, now
mutex_create("freeipa_ready"); mutex_create("freeipa_ready");
# if upgrade test, wait for children to enrol before upgrade # This generally applies to Fedora upgrades. We don't perform upgrades in EL
# but we will leave this here.
if (get_var("UPGRADE")) { if (get_var("UPGRADE")) {
my $children = get_children(); my $children = get_children();
my $child_id = (keys %$children)[0]; my $child_id = (keys %$children)[0];