From ff01caf98802a28c0d0c2c9613bd173b47ddd00b Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Wed, 17 May 2023 14:03:44 -0700 Subject: [PATCH] Update FreeIPA tests Updating freeipa tests to: * Make it more consistent with Rocky Linux * Use of rockylinux.org domain instead of fedoraproject.org * Ensure fedora-only elements are removed or changed to work in EL --- tests/freeipa_client.pm | 8 +- tests/freeipa_webui.pm | 8 +- tests/realmd_join_cockpit.pm | 2 +- tests/realmd_join_sssd.pm | 39 +++++++-- tests/role_deploy_domain_controller.pm | 112 +++++++++++++++++++------ 5 files changed, 129 insertions(+), 40 deletions(-) diff --git a/tests/freeipa_client.pm b/tests/freeipa_client.pm index b0a92b30..c54881ab 100644 --- a/tests/freeipa_client.pm +++ b/tests/freeipa_client.pm @@ -8,18 +8,20 @@ sub run { # switch to tty1 (we're usually there already, but just in case # we're carrying on from a failed freeipa_webui that didn't fail # at tty1) + my $ipa_domain = 'test.openqa.rockylinux.org'; + my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG'; send_key "ctrl-alt-f1"; wait_still_screen 1; # check domain is listed in 'realm list' validate_script_output 'realm list', sub { $_ =~ m/domain-name: test\.openqa\.rockylinux\.org.*configured: kerberos-member/s }; # check we can see the admin user in getent - assert_script_run 'getent passwd admin@TEST.OPENQA.ROCKYLINUX.ORG'; + assert_script_run "getent passwd admin\@$ipa_realm"; # check keytab entries my $hostname = script_output 'hostname'; my $qhost = quotemeta($hostname); validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@TEST\.OPENQA\.ROCKYLINUX\.ORG/ }; # check we can kinit with the host principal - assert_script_run "kinit -k host/$hostname\@TEST.OPENQA.ROCKYLINUX.ORG"; + assert_script_run "kinit -k host/$hostname\@$ipa_realm"; # Set a longer timeout for login(1) to workaround RHBZ #1661273 assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs'; # switch to tty2 for login tests @@ -32,7 +34,7 @@ sub run { # "permission denied" message doesn't last that long sleep 2; assert_screen "text_console_login"; - type_string "test2\@TEST.OPENQA.ROCKYLINUX.ORG\n"; + type_string "test2\@$ipa_realm\n"; assert_screen "console_password_required"; type_string "batterystaple\n"; assert_screen "login_permission_denied"; diff --git a/tests/freeipa_webui.pm b/tests/freeipa_webui.pm index 71318d95..8851c9bd 100644 --- a/tests/freeipa_webui.pm +++ b/tests/freeipa_webui.pm @@ -9,7 +9,9 @@ sub run { # we're restarting firefox (instead of using the same one from # realmd_join_cockpit) so Firefox's trusted CA store refreshes and # it trusts the web server cert - start_webui("admin", "monkeys123"); + my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG'; + my $ipa_admin_password = 'b1U3OnyX!'; + start_webui("admin", $ipa_admin_password); add_user("test3", "Three"); add_user("test4", "Four"); assert_screen "freeipa_webui_users_added"; @@ -48,8 +50,8 @@ sub run { assert_screen "root_console"; wait_still_screen 5; # set permanent passwords for both accounts - assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test3@TEST.OPENQA.ROCKYLINUX.ORG'; - assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test4@TEST.OPENQA.ROCKYLINUX.ORG'; + assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test3\@$ipa_realm"; + assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test4\@$ipa_realm"; # switch to tty4 (boy, the tty jugglin') send_key "ctrl-alt-f4"; # try and login as test3, should work diff --git a/tests/realmd_join_cockpit.pm b/tests/realmd_join_cockpit.pm index 9d174a44..6c319799 100644 --- a/tests/realmd_join_cockpit.pm +++ b/tests/realmd_join_cockpit.pm @@ -57,7 +57,7 @@ sub run { type_string("admin", 4); send_key "tab"; sleep 3; - type_string("monkeys123", 4); + type_string("b1U3OnyX!", 4); sleep 3; assert_and_click "cockpit_join_button"; # join involves package installs, so it may take some time diff --git a/tests/realmd_join_sssd.pm b/tests/realmd_join_sssd.pm index 0bde0978..70e9c654 100644 --- a/tests/realmd_join_sssd.pm +++ b/tests/realmd_join_sssd.pm @@ -6,12 +6,39 @@ use mmapi; use tapnet; use utils; +# Adapted from Fedora's OpenQA tests, with some modifications. This will need +# to be maintained per major version as necessary. +# label@rockylinux.org + +use feature "switch"; + sub run { my $self = shift; # use FreeIPA server or replica as DNS server + my $version_major = get_version_major; + my $relnum = get_release_number; + my $ipa_admin_password = 'b1U3OnyX!'; my $server = 'ipa001.test.openqa.rockylinux.org'; my $server_ip = '172.16.2.100'; my $server_mutex = 'freeipa_ready'; + my $ipa_install_cmd; + my @ipa_firewall_services; + given ($version_major) { + when ('8') { + $ipa_install_cmd = 'dnf --assumeyes module install idm:DL1/{dns,client,server,common}'; + @ipa_firewall_services = qw(http https kerberos kpasswd ldap ldaps dns); + } + when ('9') { + $ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa'; + @ipa_firewall_services = qw(freeipa-4 dns); + } + default { + $ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa'; + @ipa_firewall_services = qw(freeipa-4 dns); + } + } + + if (get_var("FREEIPA_REPLICA")) { $server = 'ipa002.test.openqa.rockylinux.org'; $server_ip = '172.16.2.106'; @@ -40,22 +67,22 @@ sub run { if (get_var("FREEIPA_REPLICA")) { # here we're enrolling not just as a client, but as a replica # install server packages - assert_script_run "dnf -y groupinstall freeipa-server", 600; + assert_script_run "$ipa_install_cmd", 600; # we need a lot of entropy for this, and we don't care how good # it is, so let's use haveged - assert_script_run "dnf -y install haveged", 300; - assert_script_run 'systemctl start haveged.service'; + assert_script_run "dnf --assumeyes install rng-tools", 300; + assert_script_run 'systemctl start rngd.service'; # configure the firewall - for my $service (qw(freeipa-ldap freeipa-ldaps dns)) { + for my $service (@ipa_firewall_services) { assert_script_run "firewall-cmd --permanent --add-service $service"; } assert_script_run "systemctl restart firewalld.service"; # deploy as a replica my ($ip, $hostname) = split(/ /, get_var("POST_STATIC")); - my $args = "--ip-address=$ip --setup-dns --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password monkeys123"; + my $args = "--ip-address=$ip --setup-dns --auto-forwarders --setup-ca --allow-zone-overlap -U --principal admin --admin-password $ipa_admin_password"; assert_script_run "ipa-replica-install $args", 1500; # enable and start the systemd service @@ -69,7 +96,7 @@ sub run { wait_for_children; } else { - assert_script_run "echo 'monkeys123' | realm join --user=admin ${server}", 300; + assert_script_run "echo '$ipa_admin_password' | realm join --user=admin ${server}", 300; } # set sssd debugging level higher (useful for debugging failures) # optional as it's not really part of the test diff --git a/tests/role_deploy_domain_controller.pm b/tests/role_deploy_domain_controller.pm index 2a43747f..3766ac2b 100644 --- a/tests/role_deploy_domain_controller.pm +++ b/tests/role_deploy_domain_controller.pm @@ -6,23 +6,45 @@ use mmapi; use tapnet; use utils; +# Adapted from Fedora's OpenQA tests, with some modifications. This will need +# to be maintained per major version as necessary. +# label@rockylinux.org + +use feature "switch"; + sub run { my $self = shift; + my $version_major = get_version_major; + my $relnum = get_release_number; + my $ipa_hostname = script_output 'hostname'; + my $ipa_install_cmd; + my @ipa_firewall_services; + my $ipa_domain = 'test.openqa.rockylinux.org'; + my $ipa_realm = 'TEST.OPENQA.ROCKYLINUX.ORG'; + my $ipa_admin_password = 'b1U3OnyX!'; + my $ipa_reverse_zone = '2.16.172.in-addr.arpa'; + my $ipa_install_args = "-U --auto-forwarders --realm=$ipa_realm --domain=$ipa_domain --ds-password=$ipa_admin_password --admin-password=$ipa_admin_password --setup-dns --reverse-zone=$ipa_reverse_zone --allow-zone-overlap"; + given ($version_major) { + when ('8') { + $ipa_install_cmd = 'dnf --assumeyes module install idm:DL1/{dns,client,server,common}'; + @ipa_firewall_services = qw(http https kerberos kpasswd ldap ldaps dns); + } + when ('9') { + $ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa'; + @ipa_firewall_services = qw(freeipa-4 dns); + } + default { + $ipa_install_cmd = 'dnf --assumeyes install ipa-server ipa-client ipa-server-dns sssd sssd-ipa'; + @ipa_firewall_services = qw(freeipa-4 dns); + } + } + # login $self->root_console(); - # use compose repo, disable u-t, etc. unless this is an upgrade - # test (in which case we're on the 'old' release at this point; - # one of the upgrade test modules does repo_setup later) - repo_setup() unless get_var("UPGRADE"); - # use --enablerepo=fedora for Modular compose testing (we need to - # create and use a non-Modular repo to get some packages which - # aren't in Modular Server composes) - my $extraparams = ''; - $extraparams = '--enablerepo=fedora' if (get_var("MODULAR")); - # we need a lot of entropy for this, and we don't care how good - # it is, so let's use haveged - assert_script_run "dnf ${extraparams} -y install haveged", 300; - assert_script_run 'systemctl start haveged.service'; + # We need entropy. Install rng-tools and start it up. Fedora uses haveged + # but Rocky Linux does not have it unless EPEL is used. + assert_script_run "dnf --assumeyes install rng-tools", 300; + assert_script_run 'systemctl start rngd.service'; # per ab, this should get us extra debug logging from the web UI # in error_log assert_script_run 'mkdir -p /etc/ipa'; @@ -30,24 +52,49 @@ sub run { # per ab, this gets us more debugging for bind assert_script_run 'mkdir -p /etc/systemd/system/named-pkcs11.service.d'; assert_script_run 'printf "[Service]\nEnvironment=OPTIONS=-d5\n" > /etc/systemd/system/named-pkcs11.service.d/debug.conf'; - # First install the necessary packages - assert_script_run "dnf -y groupinstall freeipa-server", 600; - # configure the firewall - for my $service (qw(freeipa-ldap freeipa-ldaps dns)) { + # Based on the major version, install FreeIPA + assert_script_run "$ipa_install_cmd", 600; + # Enable all the firewall services as needed per major version + for my $service (@ipa_firewall_services) { assert_script_run "firewall-cmd --permanent --add-service $service"; } assert_script_run "systemctl restart firewalld.service"; # deploy the server - my $args = "-U --auto-forwarders --realm=TEST.OPENQA.ROCKYLINUX.ORG --domain=test.openqa.rockylinux.org --ds-password=monkeys123 --admin-password=monkeys123 --setup-dns --reverse-zone=2.16.172.in-addr.arpa --allow-zone-overlap"; - assert_script_run "ipa-server-install $args", 1200; + assert_script_run "ipa-server-install $ipa_install_args", 1200; # enable and start the systemd service assert_script_run "systemctl enable ipa.service"; assert_script_run "systemctl start ipa.service", 300; # kinit as admin - assert_script_run 'echo "monkeys123" | kinit admin'; - # set up an OTP for client001 enrolment (it will enrol with a kickstart) - assert_script_run 'ipa host-add client001.test.openqa.rockylinux.org --password=monkeys --force'; + assert_script_run "echo '$ipa_admin_password' | kinit admin"; + # set up an OTP for client001 enrolment (this should enroll by kickstart or another way) + assert_script_run "ipa host-add client001.$ipa_domain --password=monkeys --force"; + ############################################################################ + # Testing kerb services + assert_script_run "ipa service-add testservice/$ipa_hostname"; + assert_script_run "ipa-getkeytab -s $ipa_hostname -p testservice/$ipa_hostname"; + validate_script_output 'klist -k /tmp/testservice.keytab', sub { $_ =~ m/testservice\/$ipa_hostname/ }; + # This is commented for now. We need a while loop that watches for ipa-getcert list -r to become empty. + #assert_script_run "ipa-getcert request -K testservice/$ipa_hostname -D $ipa_hostname -f /etc/pki/tls/certs/testservice.pki -k /etc/pki/tls/private/testservice.key"; + #validate_script_output "ipa-getcert list -r | sed -n '/Request ID/,/auto-renew: yes/p'", sub { $_ =~ m// }; + + ############################################################################ + # Testing DNS + assert_script_run "ipa dnszone-add --name-server=$ipa_hostname. --admin-email=hostmaster.testzone.$ipa_domain. testzone.$ipa_domain"; + sleep(5); + # ensure subdomain was made + validate_script_output "dig \@localhost SOA testzone.$ipa_domain", sub { $_ =~ m/status: NOERROR/ }; + # make test records with CNAME + assert_script_run "ipa dnsrecord-add $ipa_domain testrecord --cname-hostname=onyxtest"; + # validate it works + validate_script_output "dig \@localhost CNAME testrecord.$ipa_domain", sub { $_ =~ m/status: NOERROR/ }; + # make test records with CNAME in subdomain + assert_script_run "ipa dnsrecord-add testzone.$ipa_domain testrecord --cname-hostname=onyxtest.$ipa_domain"; + # validate it works + validate_script_output "dig \@localhost CNAME testrecord.testzone.$ipa_domain", sub { $_ =~ m/status: NOERROR/ }; + + ############################################################################ + # User Accounts + HBAC + SUDO # create two user accounts, test1 and test2 assert_script_run 'echo "correcthorse" | ipa user-add test1 --first test --last one --password'; assert_script_run 'echo "correcthorse" | ipa user-add test2 --first test --last two --password'; @@ -61,13 +108,24 @@ sub run { assert_script_run 'ipa pwpolicy-mod --minlife=0'; # magic voodoo crap to allow reverse DNS client sync to work # https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html - assert_script_run 'ipa dnszone-mod test.openqa.rockylinux.org. --allow-sync-ptr=TRUE'; + assert_script_run "ipa dnszone-mod $ipa_domain. --allow-sync-ptr=TRUE"; # kinit as each user and set a new password - assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@TEST.OPENQA.ROCKYLINUX.ORG'; - assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@TEST.OPENQA.ROCKYLINUX.ORG'; - # we're ready for children to enrol, now + assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test1\@$ipa_realm"; + assert_script_run "printf 'correcthorse\nbatterystaple\nbatterystaple' | kinit test2\@$ipa_realm"; + + # add a sudo rule + assert_script_run 'ipa sudorule-add testrule --desc="Test rule in IPA" --hostcat=all --cmdcat=all --runasusercat=all --runasgroupcat=all'; + assert_script_run 'ipa sudorule-add-user testrule --users="test1"'; + validate_script_output 'ipa sudorule-show testrule', sub { $_ =~ m/Rule name: testrule/ }; + validate_script_output 'ipa sudorule-show testrule', sub { $_ =~ m/Users: test1/ }; + # This may fail - Invalidate sudo cache and check test1's sudo perms + assert_script_run 'sss_cache -R'; + validate_script_output 'sudo -l -U test1', sub { $_ =~ m/test1 may run the following commands/ }; + + # we're ready for children to enroll, now mutex_create("freeipa_ready"); - # if upgrade test, wait for children to enrol before upgrade + # This generally applies to Fedora upgrades. We don't perform upgrades in EL + # but we will leave this here. if (get_var("UPGRADE")) { my $children = get_children(); my $child_id = (keys %$children)[0];