URL: https://github.com/freeipa/freeipa/pull/5968
Author: amore17
Title: #5968: ipatests: Test secure nsupdate failed, then try unsecure
nsupdate..
Action: opened
PR body:
"""
Test to verify when bind is configured with dynamic update policy,
and during client-install 'nsupdate -g' fails then it should run with
second call using unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5968/head:pr5968
git checkout pr5968
From 03c35b0d22104051f4a781991863bcafbc7ea18c Mon Sep 17 00:00:00 2001
From: Anuja More <am...@redhat.com>
Date: Tue, 10 Aug 2021 14:59:53 +0530
Subject: [PATCH 1/2] temp_commit
Signed-off-by: Anuja More <am...@redhat.com>
---
.freeipa-pr-ci.yaml | 2 +-
ipatests/prci_definitions/temp_commit.yaml | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b634..80656690080 120000
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index 4b0398b9218..53277c058ac 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,14 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/test_installation_client:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
- test_suite: test_integration/test_REPLACEME.py
+ test_suite: test_integration/test_installation_client.py
template: *ci-master-latest
timeout: 3600
- topology: *master_1repl_1client
+ topology: *master_3client
From 15361d2d75698ebe405d35a2dfa72535961fb0f0 Mon Sep 17 00:00:00 2001
From: Anuja More <am...@redhat.com>
Date: Mon, 9 Aug 2021 20:57:22 +0530
Subject: [PATCH 2/2] Test secure nsupdate failed, then try unsecure nsupdate..
Test to verify when bind is configured with dynamic update policy,
and during client-install 'nsupdate -g' fails then it should run with
second call using unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
Signed-off-by: Anuja More <am...@redhat.com>
---
.../test_installation_client.py | 113 ++++++++++++++++++
1 file changed, 113 insertions(+)
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
index fa59a5255a9..1598b97198f 100644
--- a/ipatests/test_integration/test_installation_client.py
+++ b/ipatests/test_integration/test_installation_client.py
@@ -8,10 +8,16 @@
from __future__ import absolute_import
+import pytest
+import re
import shlex
+import textwrap
+from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration.firewall import Firewall
+
class TestInstallClient(IntegrationTest):
@@ -70,3 +76,110 @@ def test_client_install_with_ssh_trust_dns(self):
extra_args=['--ssh-trust-dns'])
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
assert 'HostKeyAlgorithms' not in result.stdout_text
+
+
+class TestClientInstallBind(IntegrationTest):
+ """
+ nsupdate if bind gssapi fails then try unsecure.
+ """
+
+ num_clients = 1
+
+ @classmethod
+ def install(cls, mh):
+ cls.client = cls.clients[0]
+ pass
+
+ @pytest.fixture
+ def setup_bindserver(self):
+ bindserver = self.master
+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
+ # create a zone in the BIND server that is identical to the IPA
+ add_zone = textwrap.dedent("""zone "{domain}" IN {{ type master;
+ file "{domain}.db"; allow-query {{ any; }};
+ allow-update {{ any; }}; }};""").format(domain=bindserver.domain.name)
+
+ namedcfg = bindserver.get_file_contents(
+ paths.NAMED_CONF, encoding='utf-8')
+ namedcfg += '\n' + add_zone
+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
+
+ def update_contents(path, pattern, replace):
+ contents = bindserver.get_file_contents(path, encoding='utf-8')
+ namedcfg_query = re.sub(pattern, replace, contents)
+ bindserver.put_file_contents(path, namedcfg_query)
+
+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
+ "#listen-on port 53 { 127.0.0.1; };")
+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
+ "#listen-on-v6 port 53 { ::1; };")
+
+ add_records = textwrap.dedent("""
+ @ IN SOA {fqdn}. root.{domain}. (
+ 1001 ;Serial
+ 3H ;Refresh
+ 15M ;Retry
+ 1W ;Expire
+ 1D ;Minimum 1D
+ )
+ @ IN NS {fqdn}.
+ ns1 IN A {bindserverip}
+ _kerberos.{domain}. IN TXT {zoneupper}
+ {fqdn}. IN A {bindserverip}
+ ipa-ca.{domain}. IN A {bindserverip}
+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
+ """).format(fqdn=bindserver.hostname,
+ domain=bindserver.domain.name,
+ bindserverip=bindserver.ip,
+ zoneupper=bindserver.domain.name.upper()
+ )
+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
+ bindserver.put_file_contents(bindserverdb, add_records)
+ bindserver.run_command(['systemctl', 'start', 'named'])
+ Firewall(bindserver).enable_services(["dns"])
+ tasks.install_master(bindserver, setup_dns=False)
+ yield
+ named_conf_backup.restore()
+ bindserver.run_command(['rm', '-rf', bindserverdb])
+
+ def test_0001(self, setup_bindserver):
+ """Test secure nsupdate failed, then try unsecure nsupdate..
+
+ Test to verify when bind is configured with dynamic update policy,
+ and during client-install 'nsupdate -g' fails then it should run with
+ second call using unauthenticated nsupdate.
+
+ Related : https://pagure.io/freeipa/issue/8402
+ """
+ # with pre-configured bind server, install ipa-server without dns.
+ # install client with bindserver
+ client = self.client
+ client.resolver.backup()
+ nameservers = self.master.ip
+ client.resolver.setup_resolver(nameservers, self.master.domain.name)
+ try:
+ cmd = ['ipa-client-install', '-U',
+ '--domain', client.domain.name,
+ '--realm', client.domain.realm,
+ '-p', client.config.admin_name,
+ '-w', client.config.admin_password,
+ '--server', self.master.hostname]
+ client.run_command(cmd)
+ sssd_conf = client.get_file_contents(paths.SSSD_CONF,
+ encoding='utf-8')
+ # call of unauthenticated nsupdate when GSS-TSIG nsupdate failed.
+ str1 = "nsupdate (GSS-TSIG) failed"
+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
+ client_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
+ encoding='utf-8')
+ assert str1 and str2 in client_log
+ assert "dyndns_update" not in sssd_conf
+ finally:
+ client.resolver.restore()
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
