URL: https://github.com/freeipa/freeipa/pull/2326
Author: flo-renaud
 Title: #2326: ipa-replica-install: fix pkinit setup 
Action: opened

PR body:
"""
### ipa-replica-install: fix pkinit setup
commit 7284097 (Delay enabling services until end of installer)
introduced a regression in replica installation.
When the replica requests a cert for PKINIT, a check is done
to ensure that the hostname corresponds to a machine with a
KDC service enabled (ipaconfigstring attribute of
cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain
'enabledService').
With the commit mentioned above, the service is set to enabled only
at the end of the installation.

The fix makes a less strict check, ensuring that 'enabledService'
or 'configuredService' is in ipaconfigstring.

Fixes: https://pagure.io/freeipa/issue/7566

### Tests: test successful PKINIT install on replica

Add a test checking that ipa-replica-install successfully configures
PKINIT on the replica
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2326/head:pr2326
git checkout pr2326
From 914ae55a120105e3b3d6bf2458157bbd4171084a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Tue, 4 Sep 2018 14:15:50 +0200
Subject: [PATCH 1/3] ipa-replica-install: fix pkinit setup

commit 7284097 (Delay enabling services until end of installer)
introduced a regression in replica installation.
When the replica requests a cert for PKINIT, a check is done
to ensure that the hostname corresponds to a machine with a
KDC service enabled (ipaconfigstring attribute of
cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain
'enabledService').
With the commit mentioned above, the service is set to enabled only
at the end of the installation.

The fix makes a less strict check, ensuring that 'enabledService'
or 'configuredService' is in ipaconfigstring.

Fixes: https://pagure.io/freeipa/issue/7566
---
 ipaserver/plugins/cert.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index ffe51597e4..9e3d228f8c 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -300,9 +300,11 @@ def ca_kdc_check(api_instance, hostname):
 
         ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']}
 
-        if 'enabledservice' not in ipaconfigstring:
+        if 'enabledservice' not in ipaconfigstring \
+                and 'configuredservice' not in ipaconfigstring:
             raise errors.NotFound(
-                reason=_("enabledService not in ipaConfigString kdc entry"))
+                reason=_("enabledService/configuredService not in "
+                         "ipaConfigString kdc entry"))
 
     except errors.NotFound:
         raise errors.ACIError(

From 71c3621ca21b10f860ceb68a019018d5382955f8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Tue, 4 Sep 2018 15:50:28 +0200
Subject: [PATCH 2/3] Tests: test successful PKINIT install on replica

Add a test checking that ipa-replica-install successfully configures
PKINIT on the replica

Related to https://pagure.io/freeipa/issue/7566
---
 ipatests/test_integration/test_replica_promotion.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index fa94927dfe..a13d0ba71a 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -202,12 +202,15 @@ def test_one_command_installation(self):
         http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan
         #Test_case:_Replica_can_be_installed_using_one_command
         """
-        self.replicas[0].run_command(['ipa-replica-install', '-w',
+        res = self.replicas[0].run_command(['ipa-replica-install', '-w',
                                      self.master.config.admin_password,
                                      '-n', self.master.domain.name,
                                      '-r', self.master.domain.realm,
                                      '--server', self.master.hostname,
                                      '-U'])
+        # Ensure that pkinit is properly configured, test for 7566
+        err_msg = "Full PKINIT configuration did not succeed"
+        assert err_msg not in res.stdout_text
 
 
 @pytest.mark.skip(reason="Domain level 0 is not supported anymore")

From fc86da1db804b2b70c7a88a4cd9ef18bc0fa4db1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Tue, 4 Sep 2018 16:06:40 +0200
Subject: [PATCH 3/3] temp commit to launch
 test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1

Please remove before pushing
---
 ipatests/prci_definitions/gating.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index 362f84e308..e86e314c83 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -242,3 +242,15 @@ jobs:
         template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
+
+  fedora-28/test_replica_promotion_TestReplicaPromotionLevel1:
+    requires: [fedora-28/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1
+        template: *ci-master-f28
+        timeout: 7200
+        topology: *master_1repl
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to