From f0e11dac2d0164d6fdd6947deb6d45a09b03b10d Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Dec 11 2018 12:46:52 +0000 Subject: Test smart card advise scripts Create and execute the server and client smart card advise scripts. See: See: https://pagure.io/freeipa/issue/7751 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml index 78bd603..95fac75 100644 --- a/ipatests/prci_definitions/gating.yaml +++ b/ipatests/prci_definitions/gating.yaml @@ -157,7 +157,7 @@ jobs: test_suite: test_integration/test_advise.py template: *ci-master-f29 timeout: 3600 - topology: *master_1repl + topology: *master_1repl_1client fedora-29/test_testconfig: requires: [fedora-29/build] diff --git a/ipatests/test_integration/test_advise.py b/ipatests/test_integration/test_advise.py index 3b821c8..b548614 100644 --- a/ipatests/test_integration/test_advise.py +++ b/ipatests/test_integration/test_advise.py @@ -21,11 +21,17 @@ # pylint: disable=no-member import re + +from ipalib.constants import IPAAPI_USER +from ipaplatform.paths import paths +from ipaplatform.constants import constants + +from ipatests.create_external_ca import ExternalCA from ipatests.pytest_ipa.integration import tasks from ipatests.test_integration.base import IntegrationTest -def run_advice(master, advice_id, advice_regex, raiseerr): +def run_advice(master, advice_id, advice_regex, raiseerr=True): # Obtain the advice from the server tasks.kinit_admin(master) result = master.run_command(['ipa-advise', advice_id], @@ -43,28 +49,38 @@ class TestAdvice(IntegrationTest): """ Tests ipa-advise output. """ - advice_id = None - raiseerr = None - advice_regex = '' topology = 'line' + num_replicas = 0 + num_clients = 1 + + def execute_advise(self, host, advice_id, *args): + # ipa-advise script is only available on a server + tasks.kinit_admin(self.master) + advice = self.master.run_command(['ipa-advise', advice_id]) + # execute script on host (client or master) + if host is not self.master: + tasks.kinit_admin(host) + filename = tasks.upload_temp_contents(host, advice.stdout_text) + cmd = ['sh', filename] + cmd.extend(args) + try: + result = host.run_command(cmd) + finally: + host.run_command(['rm', '-f', filename]) + return advice, result def test_invalid_advice(self): advice_id = r'invalid-advise-param' advice_regex = r"invalid[\s]+\'advice\'.*" - raiseerr = False - - run_advice(self.master, advice_id, advice_regex, raiseerr) - + run_advice(self.master, advice_id, advice_regex, raiseerr=False) def test_advice_FreeBSDNSSPAM(self): advice_id = 'config-freebsd-nss-pam-ldapd' advice_regex = r"\#\!\/bin\/sh.*" \ r"pkg_add[\s]+\-r[\s]+nss\-pam\-ldapd[\s]+curl.*" \ r"\/usr\/local\/etc\/rc\.d\/nslcd[\s]+restart" - raiseerr = True - - run_advice(self.master, advice_id, advice_regex, raiseerr) + run_advice(self.master, advice_id, advice_regex) def test_advice_GenericNSSPAM(self): advice_id = 'config-generic-linux-nss-pam-ldapd' @@ -75,20 +91,16 @@ class TestAdvice(IntegrationTest): r"service[\s]+nscd[\s]+stop[\s]+\&\&[\s]+service[\s]+" r"nslcd[\s]+restart" ) - raiseerr = True - - run_advice(self.master, advice_id, advice_regex, raiseerr) + run_advice(self.master, advice_id, advice_regex) def test_advice_GenericSSSDBefore19(self): advice_id = r'config-generic-linux-sssd-before-1-9' advice_regex = r"\#\!\/bin\/sh.*" \ r"apt\-get[\s]+\-y[\s]+install sssd curl openssl.*" \ r"service[\s]+sssd[\s]+start" - raiseerr = True - - run_advice(self.master, advice_id, advice_regex, raiseerr) + run_advice(self.master, advice_id, advice_regex) def test_advice_RedHatNSS(self): advice_id = 'config-redhat-nss-ldap' @@ -100,10 +112,8 @@ class TestAdvice(IntegrationTest): r"[\s]+\-\-enableldapauth[\s]+" r"\-\-ldapserver=.*[\s]+\-\-ldapbasedn=.*" ) - raiseerr = True - - run_advice(self.master, advice_id, advice_regex, raiseerr) + run_advice(self.master, advice_id, advice_regex) def test_advice_RedHatNSSPAM(self): advice_id = 'config-redhat-nss-pam-ldapd' @@ -113,10 +123,8 @@ class TestAdvice(IntegrationTest): r"authconfig[\s]+\-\-updateall[\s]+\-\-enableldap"\ r"[\s]+\-\-enableldaptls[\s]+\-\-enableldapauth[\s]+" \ r"\-\-ldapserver=.*[\s]+\-\-ldapbasedn=.*" - raiseerr = True - - run_advice(self.master, advice_id, advice_regex, raiseerr) + run_advice(self.master, advice_id, advice_regex) def test_advice_RedHatSSSDBefore19(self): advice_id = 'config-redhat-sssd-before-1-9' @@ -125,6 +133,47 @@ class TestAdvice(IntegrationTest): r"yum[\s]+install[\s]+\-y[\s]+sssd[\s]+authconfig[\s]+" r"curl[\s]+openssl.*service[\s]+sssd[\s]+start" ) - raiseerr = True - run_advice(self.master, advice_id, advice_regex, raiseerr) + run_advice(self.master, advice_id, advice_regex) + + # trivial checks + def test_advice_enable_admins_sudo(self): + advice_id = 'enable_admins_sudo' + advice_regex = r"\#\!\/bin\/sh.*" + run_advice(self.master, advice_id, advice_regex) + + def test_advice_config_server_for_smart_card_auth(self): + advice_id = 'config_server_for_smart_card_auth' + advice_regex = r"\#\!\/bin\/sh.*" + run_advice(self.master, advice_id, advice_regex) + + ca_pem = ExternalCA().create_ca() + ca_file = tasks.upload_temp_contents(self.master, ca_pem) + try: + self.execute_advise(self.master, advice_id, ca_file) + except Exception: + # debug: sometimes ipa-certupdate times out in + # "Resubmitting certmonger request" + self.master.run_command(['getcert', 'list']) + raise + finally: + self.master.run_command(['rm', '-f', ca_file]) + sssd_conf = self.master.get_file_contents( + paths.SSSD_CONF, encoding='utf-8' + ) + assert constants.HTTPD_USER in sssd_conf + assert IPAAPI_USER in sssd_conf + + def test_advice_config_client_for_smart_card_auth(self): + advice_id = 'config_client_for_smart_card_auth' + advice_regex = r"\#\!\/bin\/sh.*" + run_advice(self.master, advice_id, advice_regex) + + client = self.clients[0] + + ca_pem = ExternalCA().create_ca() + ca_file = tasks.upload_temp_contents(client, ca_pem) + try: + self.execute_advise(client, advice_id, ca_file) + finally: + client.run_command(['rm', '-f', ca_file])