URL: https://github.com/freeipa/freeipa/pull/2321
Author: Tiboris
 Title: #2321: [Backport][ipa-4-7] ipa-server-install: do not perform forwarder 
validation with --no-dnssec-validation
Action: opened

PR body:
"""
This PR was opened automatically because PR #2310 was pushed to master and 
backport to ipa-4-7 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2321/head:pr2321
git checkout pr2321
From cfb45d2b1af23d9e178baf34f9a503c83603384d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Fri, 31 Aug 2018 10:09:15 +0200
Subject: [PATCH 1/2] ipa-server-install: do not perform forwarder validation
 with --no-dnssec-validation

ipa-server-install is checking if the forwarder(s) specified with
--forwarder argument support DNSSEC. When the --no-dnssec-validation
option is added, the installer should not perform the check.

Fixes: https://pagure.io/freeipa/issue/7666
---
 ipaserver/install/dns.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index c7c22176c5..9c28d1b065 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -292,8 +292,8 @@ def install_check(standalone, api, replica, options, hostname):
 
     # test DNSSEC forwarders
     if options.forwarders:
-        if (not bindinstance.check_forwarders(options.forwarders)
-                and not options.no_dnssec_validation):
+        if not options.no_dnssec_validation \
+                and not bindinstance.check_forwarders(options.forwarders):
             options.no_dnssec_validation = True
             print("WARNING: DNSSEC validation will be disabled")
 

From c63df10c97e195a855533d59f8b2d195815ef663 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Fri, 31 Aug 2018 10:12:01 +0200
Subject: [PATCH 2/2] tests: add test for server install with
 --no-dnssec-validation

Add 2 tests related to the checks performed by ipa-server-install
when --forwarder is specified:
- if the forwarder is not reachable and we require dnssec validation,
the installer must refuse to go on and exit on error.
- if the forwarder is not reachable but --no-dnssec-validation is
provided, the installer must continue.

Related to https://pagure.io/freeipa/issue/7666
---
 ipatests/test_integration/test_dnssec.py | 44 ++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 368b1ffc49..18b806e8ef 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -550,3 +550,47 @@ def test_migrate_dnssec_master(self):
             self.master.ip, example3_test_zone, timeout=200
         ), ("Zone %s is not signed (master)"
             % example3_test_zone)
+
+
+class TestInstallNoDnssecValidation(IntegrationTest):
+    """test installation of the master with
+    --no-dnssec-validation
+
+    Test for issue 7666: ipa-server-install --setup-dns is failing
+    if using --no-dnssec-validation and --forwarder, when the
+    specified forwarder does not support DNSSEC.
+    The forwarder should not be checked for DNSSEC support when
+    --no-dnssec-validation argument is specified.
+    In order to reproduce the conditions, the test is using a dummy
+    IP address for the forwarder (i.e. there is no BIND service available
+    at this IP address). To make sure of that, the test is using the IP of
+    a replica (that is not yet setup).
+    """
+    num_replicas = 1
+
+    @classmethod
+    def install(cls, mh):
+        cls.install_args = [
+            'ipa-server-install',
+            '-n', cls.master.domain.name,
+            '-r', cls.master.domain.realm,
+            '-p', cls.master.config.dirman_password,
+            '-a', cls.master.config.admin_password,
+            '-U',
+            '--setup-dns',
+            '--forwarder', cls.replicas[0].ip,
+            '--auto-reverse'
+        ]
+
+    def test_install_withDnssecValidation(self):
+        cmd = self.master.run_command(self.install_args, raiseonerr=False)
+        # The installer checks that the forwarder supports DNSSEC
+        # but the forwarder does not answer => expect failure
+        assert cmd.returncode != 0
+
+    def test_install_noDnssecValidation(self):
+        # With the --no-dnssec-validation, the installer does not check
+        # whether the forwarder supports DNSSEC => success even if the
+        # forwarder is not reachable
+        self.master.run_command(
+            self.install_args + ['--no-dnssec-validation'])
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to