From 98212c168ec1c68abe796f4133c782f6790ad174 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Sep 03 2018 13:07:30 +0000 Subject: tests: add test for server install with --no-dnssec-validation Add 2 tests related to the checks performed by ipa-server-install when --forwarder is specified: - if the forwarder is not reachable and we require dnssec validation, the installer must refuse to go on and exit on error. - if the forwarder is not reachable but --no-dnssec-validation is provided, the installer must continue. Related to https://pagure.io/freeipa/issue/7666 Reviewed-By: Tibor Dudlak --- diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index dab057b..4759647 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -570,3 +570,47 @@ class TestMigrateDNSSECMaster(IntegrationTest): self.master.ip, example3_test_zone, timeout=200 ), ("Zone %s is not signed (master)" % example3_test_zone) + + +class TestInstallNoDnssecValidation(IntegrationTest): + """test installation of the master with + --no-dnssec-validation + + Test for issue 7666: ipa-server-install --setup-dns is failing + if using --no-dnssec-validation and --forwarder, when the + specified forwarder does not support DNSSEC. + The forwarder should not be checked for DNSSEC support when + --no-dnssec-validation argument is specified. + In order to reproduce the conditions, the test is using a dummy + IP address for the forwarder (i.e. there is no BIND service available + at this IP address). To make sure of that, the test is using the IP of + a replica (that is not yet setup). + """ + num_replicas = 1 + + @classmethod + def install(cls, mh): + cls.install_args = [ + 'ipa-server-install', + '-n', cls.master.domain.name, + '-r', cls.master.domain.realm, + '-p', cls.master.config.dirman_password, + '-a', cls.master.config.admin_password, + '-U', + '--setup-dns', + '--forwarder', cls.replicas[0].ip, + '--auto-reverse' + ] + + def test_install_withDnssecValidation(self): + cmd = self.master.run_command(self.install_args, raiseonerr=False) + # The installer checks that the forwarder supports DNSSEC + # but the forwarder does not answer => expect failure + assert cmd.returncode != 0 + + def test_install_noDnssecValidation(self): + # With the --no-dnssec-validation, the installer does not check + # whether the forwarder supports DNSSEC => success even if the + # forwarder is not reachable + self.master.run_command( + self.install_args + ['--no-dnssec-validation'])