diff options
| author | Lenka Doudova <ldoudova@redhat.com> | 2016-09-22 14:09:03 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-11-15 13:34:38 +0100 |
| commit | 4df1d9d1a566af57b23d45ca4377ab77ed9e4d60 (patch) | |
| tree | ed93e1eaabad653c1f2940266beb5d2a3e856a17 /ipatests/test_integration | |
| parent | 2dd66c6366454f9edd9b89861530e97c75b2d869 (diff) | |
| download | freeipa-4df1d9d1a566af57b23d45ca4377ab77ed9e4d60.tar.gz freeipa-4df1d9d1a566af57b23d45ca4377ab77ed9e4d60.tar.xz freeipa-4df1d9d1a566af57b23d45ca4377ab77ed9e4d60.zip | |
Tests: Providing trust tests with tree root domain
https://fedorahosted.org/freeipa/ticket/6347
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
Diffstat (limited to 'ipatests/test_integration')
| -rw-r--r-- | ipatests/test_integration/test_trust.py | 110 |
1 files changed, 96 insertions, 14 deletions
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py index 27c0e5620..06bc4935b 100644 --- a/ipatests/test_integration/test_trust.py +++ b/ipatests/test_integration/test_trust.py @@ -31,7 +31,7 @@ class ADTrustBase(IntegrationTest): topology = 'line' num_ad_domains = 1 - optional_extra_roles = ['ad_subdomain'] + optional_extra_roles = ['ad_subdomain', 'ad_treedomain'] @classmethod def install(cls, mh): @@ -52,6 +52,14 @@ class ADTrustBase(IntegrationTest): except LookupError: cls.ad_subdomain = None + # Determine whether the tree domain AD is available + try: + cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1]) + cls.ad_treedomain = '.'.join( + cls.tree_ad.hostname.split('.')[1:]) + except LookupError: + cls.ad_treedomain = None + cls.configure_dns_and_time() @classmethod @@ -98,9 +106,10 @@ class ADTrustBase(IntegrationTest): 'trustdomain-find', self.ad_domain]) - # Check that both trustdomains appear in the result + # Check that all trustdomains appear in the result assert self.ad_domain in result.stdout_text assert self.ad_subdomain in result.stdout_text + assert self.ad_treedomain in result.stdout_text class ADTrustSubdomainBase(ADTrustBase): @@ -116,20 +125,26 @@ class ADTrustSubdomainBase(ADTrustBase): @classmethod def install(cls, mh): super(ADTrustSubdomainBase, cls).install(mh) - cls.ad = cls.ad_domains[0].ads[0] - cls.ad_domain = cls.ad.domain.name - cls.install_adtrust() - cls.check_sid_generation() - - # Determine whether the subdomain AD is available - # if not, skip the whole suite - try: - cls.child_ad = cls.host_by_role(cls.optional_extra_roles[0]) - cls.ad_subdomain = '.'.join(cls.child_ad.hostname.split('.')[1:]) - except LookupError: + if not cls.ad_subdomain: raise nose.SkipTest('AD subdomain is not available.') - cls.configure_dns_and_time() + +class ADTrustTreedomainBase(ADTrustBase): + """ + Base class for tests involving tree root domains of trusted forests + """ + + @classmethod + def configure_dns_and_time(cls): + tasks.configure_dns_for_trust(cls.master, cls.ad_treedomain) + tasks.sync_time(cls.master, cls.tree_ad) + + @classmethod + def install(cls, mh): + super(ADTrustTreedomainBase, cls).install(mh) + if not cls.ad_treedomain: + raise nose.SkipTest('AD tree root domain is not available.') + class TestBasicADTrust(ADTrustBase): """Basic Integration test for Active Directory""" @@ -343,6 +358,73 @@ class TestNonexternalTrustWithSubdomain(ADTrustSubdomainBase): 'Test case unapplicable, present for inheritance reason only') +class TestExternalTrustWithTreedomain(ADTrustTreedomainBase): + """ + Test establishing external trust with tree root domain + """ + + def test_establish_trust(self): + """ Tests establishing external trust with Active Directory """ + tasks.establish_trust_with_ad( + self.master, self.ad_treedomain, + extra_args=['--range-type', 'ipa-ad-trust', '--external=True']) + + def test_all_trustdomains_found(self): + """ Test that only one trustdomain is found """ + result = self.master.run_command(['ipa', 'trustdomain-find', + self.ad_treedomain]) + + assert self.ad_treedomain in result.stdout_text + assert "Number of entries returned 1" in result.stdout_text + + def test_user_gid_uid_resolution_in_nonposix_trust(self): + """ Check that user has SID-generated UID """ + testuser = 'treetestuser@{0}'.format(self.ad_treedomain) + result = self.master.run_command(['getent', 'passwd', testuser]) + + testuser_regex = ("^treetestuser@{0}:\*:(?!10242)(\d+):" + "(?!10247)(\d+):TreeTest User:" + "/home/{1}/treetestuser:/bin/sh$".format( + re.escape(self.ad_treedomain), + re.escape(self.ad_treedomain))) + + assert re.search(testuser_regex, result.stdout_text) + + def test_remove_nonposix_trust(self): + tasks.remove_trust_with_ad(self.master, self.ad_treedomain) + tasks.clear_sssd_cache(self.master) + + +class TestNonexternalTrustWithTreedomain(ADTrustTreedomainBase): + """ + Tests that a non-external trust to a tree root domain cannot be established + """ + def test_establish_trust(self): + """ Tests establishing non-external trust with Active Directory """ + self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB, + 'HTTP/%s' % self.master.hostname]) + self.master.run_command(['systemctl', 'restart', 'krb5kdc.service']) + self.master.run_command(['kdestroy', '-A']) + + tasks.kinit_admin(self.master) + self.master.run_command(['klist']) + self.master.run_command(['smbcontrol', 'all', 'debug', '100']) + + result = self.master.run_command([ + 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin', + 'Administrator', '--password', '--range-type', 'ipa-ad-trust' + ], stdin_text=self.master.config.ad_admin_password, + raiseonerr=False) + + assert result != 0 + assert ("Domain '{0}' is not a root domain".format( + self.ad_treedomain) in result.stderr_text) + + def test_all_trustdomains_found(self): + raise nose.SkipTest( + 'Test case unapplicable, present for inheritance reason only') + + class TestExternalTrustWithRootDomain(ADTrustSubdomainBase): """ Test establishing external trust with root domain |