URL: https://github.com/freeipa/freeipa/pull/3624 Author: amore17 Title: #3624: ipatests: extdom plugin should not return error (32)/'No such object' Action: opened
PR body: """ Added test which validates : If there is a time-out during a request to SSSD the extdom plugin should not return error 'No such object' and the existing user should not be removed from the cache on the client. Related Ticket: https://pagure.io/freeipa/issue/8044 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3624/head:pr3624 git checkout pr3624
From fd9805bffc87a58cccbb229bb749240b81ea878b Mon Sep 17 00:00:00 2001 From: Anuja More <am...@redhat.com> Date: Thu, 5 Sep 2019 17:35:49 +0530 Subject: [PATCH 1/2] Extdom plugin should not return error (32)/'No such object' Regression test for https://pagure.io/freeipa/issue/8044 If there is a timeout during a request to SSSD the extdom plugin should not return error 'No such object' and the existing user should not be removed from the cache on the client. Signed-off-by: Anuja More <am...@redhat.com> --- ipatests/test_integration/test_trust.py | 58 +++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py index 610097bbe3..fd37131a0f 100644 --- a/ipatests/test_integration/test_trust.py +++ b/ipatests/test_integration/test_trust.py @@ -268,6 +268,64 @@ def test_override_homedir(self): tasks.restore_files(self.master) tasks.clear_sssd_cache(self.master) + def test_extdom_plugin(self): + """Extdom plugin should not return error (32)/'No such object' + + Regression test for https://pagure.io/freeipa/issue/8044 + + If there is a timeout during a request to SSSD the extdom plugin + should not return error 'No such object' and the existing user should + not be removed from the cache on the client. + """ + client = self.clients[0] + tasks.backup_file(self.master, paths.SSSD_CONF) + log_file = '{0}/sssd_{1}.log' .format(paths.VAR_LOG_SSSD_DIR, + self.master.domain.name) + logsize = len(self.master.get_file_contents(log_file)) + res = self.master.run_command(['pidof', 'sssd_be']) + pid = res.stdout_text.strip() + try: + # set the extdom plugin timeout to 1s (1000) by default it is 10s + entry_ldif = textwrap.dedent(""" + dn: cn=ipa_extdom_extop,cn=plugins,cn=config + changetype: modify + replace: ipaExtdomMaxNssTimeout + ipaExtdomMaxNssTimeout: 1000 + """) + tasks.ldapmodify_dm(self.master, entry_ldif) + domain = self.master.domain + tasks.modify_sssd_conf( + self.master, + domain.name, + { + 'timeout': '999999' + } + ) + test_id = 'id testuser@%s' % self.ad_domain + client.run_command(test_id) + remove_cache = 'sss_cache -E' + self.master.run_command(remove_cache) + client.run_command(remove_cache) + + self.master.run_command('kill -STOP %s' % pid) + client.run_command(test_id) + + error = 'ldap_extended_operation result: No such object(32)' + sssd_log2 = self.master.get_file_contents(log_file)[logsize:] + assert error.encode() not in sssd_log2 + finally: + self.master.run_command('kill -CONT %s' % pid) + # set back to default extdom plugin timeout 10s + entry_ldif = textwrap.dedent(""" + dn: cn=ipa_extdom_extop,cn=plugins,cn=config + changetype: modify + replace: ipaExtdomMaxNssTimeout + ipaExtdomMaxNssTimeout: 10000 + """) + tasks.ldapmodify_dm(self.master, entry_ldif) + tasks.restore_files(self.master) + tasks.clear_sssd_cache(self.master) + def test_remove_posix_trust(self): self.remove_trust(self.ad) From 2d4bf2b202f8a979e2b799b27efd1a7313b97f35 Mon Sep 17 00:00:00 2001 From: Anuja More <am...@redhat.com> Date: Thu, 5 Sep 2019 17:48:57 +0530 Subject: [PATCH 2/2] Temp_commit Signed-off-by: Anuja More <am...@redhat.com> --- .freeipa-pr-ci.yaml | 2 +- ipatests/prci_definitions/temp_commit.yaml | 14 +- ipatests/test_integration/test_trust.py | 334 --------------------- 3 files changed, 10 insertions(+), 340 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 120000 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index 295b272d2b..8da82b521e 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -33,6 +33,10 @@ topologies: name: master_3repl_1client cpu: 6 memory: 12900 + ad_master_2client: &ad_master_2client + name: ad_master_2client + cpu: 4 + memory: 12000 jobs: fedora-30/build: @@ -49,14 +53,14 @@ jobs: timeout: 1800 topology: *build - fedora-30/temp_commit: + fedora-30/test_trust: requires: [fedora-30/build] priority: 50 job: - class: RunPytest + class: RunADTests args: build_url: '{fedora-30/build_url}' - test_suite: test_integration/test_REPLACEME.py + test_suite: test_integration/test_trust.py template: *ci-master-f30 - timeout: 3600 - topology: *master_1repl_1client + timeout: 12000 + topology: *ad_master_2client diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py index fd37131a0f..c006186e59 100644 --- a/ipatests/test_integration/test_trust.py +++ b/ipatests/test_integration/test_trust.py @@ -16,8 +16,6 @@ class BaseTestTrust(IntegrationTest): topology = 'line' num_ad_domains = 1 - num_ad_subdomains = 1 - num_ad_treedomains = 1 upn_suffix = 'UPNsuffix.com' upn_username = 'upnuser' @@ -39,11 +37,6 @@ def install(cls, mh): tasks.install_adtrust(cls.master) cls.check_sid_generation() - cls.child_ad = cls.ad_subdomains[0] # pylint: disable=no-member - cls.ad_subdomain = cls.child_ad.domain.name - cls.tree_ad = cls.ad_treedomains[0] # pylint: disable=no-member - cls.ad_treedomain = cls.tree_ad.domain.name - # values used in workaround for # https://bugzilla.redhat.com/show_bug.cgi?id=1711958 cls.srv_gc_record_name = \ @@ -103,10 +96,6 @@ def test_establish_nonposix_trust(self): self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust']) - def test_trustdomains_found_in_nonposix_trust(self): - self.check_trustdomains( - self.ad_domain, [self.ad_domain, self.ad_subdomain]) - def test_range_properties_in_nonposix_trust(self): self.check_range_properties(self.ad_domain, 'ipa-ad-trust', 200000) @@ -188,11 +177,6 @@ def test_establish_posix_trust(self): self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust-posix']) - def test_trustdomains_found_in_posix_trust(self): - """Tests that all trustdomains can be found.""" - self.check_trustdomains( - self.ad_domain, [self.ad_domain, self.ad_subdomain]) - def test_range_properties_in_posix_trust(self): """Check the properties of the created range""" self.check_range_properties(self.ad_domain, 'ipa-ad-trust-posix', @@ -359,330 +343,12 @@ def test_invalid_range_types(self): # Tests for external trust with AD subdomain - def test_establish_external_subdomain_trust(self): - self.configure_dns_and_time(self.child_ad) - tasks.establish_trust_with_ad( - self.master, self.ad_subdomain, - extra_args=['--range-type', 'ipa-ad-trust', '--external=True']) - - def test_trustdomains_found_in_external_subdomain_trust(self): - self.check_trustdomains( - self.ad_subdomain, [self.ad_subdomain]) - - def test_user_gid_uid_resolution_in_external_subdomain_trust(self): - """Check that user has SID-generated UID""" - testuser = 'subdomaintestuser@{0}'.format(self.ad_subdomain) - result = self.master.run_command(['getent', 'passwd', testuser]) - - testuser_regex = (r"^subdomaintestuser@{0}:\*:(?!10142)(\d+):" - r"(?!10147)(\d+):Subdomaintest User:" - r"/home/{1}/subdomaintestuser:{2}$".format( - re.escape(self.ad_subdomain), - re.escape(self.ad_subdomain), - self.default_shell, - )) - - assert re.search(testuser_regex, result.stdout_text) - - def test_remove_external_subdomain_trust(self): - self.remove_trust(self.child_ad) - - # Tests for non-external trust with AD subdomain - - def test_establish_nonexternal_subdomain_trust(self): - self.configure_dns_and_time(self.child_ad) - try: - tasks.kinit_admin(self.master) - - result = self.master.run_command([ - 'ipa', 'trust-add', '--type', 'ad', self.ad_subdomain, - '--admin', - 'Administrator', '--password', '--range-type', 'ipa-ad-trust' - ], stdin_text=self.master.config.ad_admin_password, - raiseonerr=False) - - assert result != 0 - assert ("Domain '{0}' is not a root domain".format( - self.ad_subdomain) in result.stderr_text) - finally: - tasks.unconfigure_dns_for_trust(self.master, self.child_ad) - # Tests for external trust with tree domain - def test_establish_external_treedomain_trust(self): - self.configure_dns_and_time(self.tree_ad) - tasks.establish_trust_with_ad( - self.master, self.ad_treedomain, - extra_args=['--range-type', 'ipa-ad-trust', '--external=True']) - - def test_trustdomains_found_in_external_treedomain_trust(self): - self.check_trustdomains( - self.ad_treedomain, [self.ad_treedomain]) - - def test_user_gid_uid_resolution_in_external_treedomain_trust(self): - """Check that user has SID-generated UID""" - testuser = 'treetestuser@{0}'.format(self.ad_treedomain) - result = self.master.run_command(['getent', 'passwd', testuser]) - - testuser_regex = (r"^treetestuser@{0}:\*:(?!10242)(\d+):" - r"(?!10247)(\d+):TreeTest User:" - r"/home/{1}/treetestuser:{2}$".format( - re.escape(self.ad_treedomain), - re.escape(self.ad_treedomain), - self.default_shell, - )) - - assert re.search( - testuser_regex, result.stdout_text), result.stdout_text - - def test_remove_external_treedomain_trust(self): - self.remove_trust(self.tree_ad) - # Test for non-external trust with tree domain - def test_establish_nonexternal_treedomain_trust(self): - self.configure_dns_and_time(self.tree_ad) - try: - tasks.kinit_admin(self.master) - - result = self.master.run_command([ - 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, - '--admin', - 'Administrator', '--password', '--range-type', 'ipa-ad-trust' - ], stdin_text=self.master.config.ad_admin_password, - raiseonerr=False) - - assert result != 0 - assert ("Domain '{0}' is not a root domain".format( - self.ad_treedomain) in result.stderr_text) - finally: - tasks.unconfigure_dns_for_trust(self.master, self.tree_ad) - # Tests for external trust with root domain - def test_establish_external_rootdomain_trust(self): - self.configure_dns_and_time(self.ad) - tasks.establish_trust_with_ad( - self.master, self.ad_domain, - extra_args=['--range-type', 'ipa-ad-trust', '--external=True']) - - def test_trustdomains_found_in_external_rootdomain_trust(self): - self.check_trustdomains(self.ad_domain, [self.ad_domain]) - - def test_remove_external_rootdomain_trust(self): - self.remove_trust(self.ad) - # Test for one-way forest trust with shared secret - def test_establish_forest_trust_with_shared_secret(self): - self.configure_dns_and_time(self.ad) - tasks.configure_windows_dns_for_trust(self.ad, self.master) - - # this is a workaround for - # https://bugzilla.redhat.com/show_bug.cgi?id=1711958 - self.master.run_command( - ['ipa', 'dnsrecord-add', self.master.domain.name, - self.srv_gc_record_name, - '--srv-rec', self.srv_gc_record_value]) - - # create windows side of trust using powershell bindings - # to .Net functions - ps_cmd = ( - '[System.DirectoryServices.ActiveDirectory.Forest]' - '::getCurrentForest()' - '.CreateLocalSideOfTrustRelationship("{}", 1, "{}")'.format( - self.master.domain.name, self.shared_secret)) - self.ad.run_command(['powershell', '-c', ps_cmd]) - - # create ipa side of trust - tasks.establish_trust_with_ad( - self.master, self.ad_domain, shared_secret=self.shared_secret) - - def test_trustdomains_found_in_forest_trust_with_shared_secret(self): - result = self.master.run_command( - ['ipa', 'trust-fetch-domains', self.ad.domain.name], - raiseonerr=False) - assert result.returncode == 1 - self.check_trustdomains( - self.ad_domain, [self.ad_domain, self.ad_subdomain]) - - def test_user_gid_uid_resolution_in_forest_trust_with_shared_secret(self): - """Check that user has SID-generated UID""" - # Using domain name since it is lowercased realm name for AD domains - testuser = 'testuser@%s' % self.ad_domain - result = self.master.run_command(['getent', 'passwd', testuser]) - - # This regex checks that Test User does not have UID 10042 nor belongs - # to the group with GID 10047 - testuser_regex = r"^testuser@%s:\*:(?!10042)(\d+):(?!10047)(\d+):"\ - r"Test User:/home/%s/testuser:%s$"\ - % (re.escape(self.ad_domain), - re.escape(self.ad_domain), - self.default_shell, - ) - - assert re.search( - testuser_regex, result.stdout_text), result.stdout_text - - def test_remove_forest_trust_with_shared_secret(self): - ps_cmd = ( - '[System.DirectoryServices.ActiveDirectory.Forest]' - '::getCurrentForest()' - '.DeleteLocalSideOfTrustRelationship("{}")'.format( - self.master.domain.name)) - self.ad.run_command(['powershell', '-c', ps_cmd]) - - self.remove_trust(self.ad) - - # this is cleanup for workaround for - # https://bugzilla.redhat.com/show_bug.cgi?id=1711958 - self.master.run_command( - ['ipa', 'dnsrecord-del', self.master.domain.name, - self.srv_gc_record_name, '--srv-rec', - self.srv_gc_record_value]) - - tasks.unconfigure_windows_dns_for_trust(self.ad, self.master) - # Test for one-way external trust with shared secret - - def test_establish_external_trust_with_shared_secret(self): - self.configure_dns_and_time(self.ad) - tasks.configure_windows_dns_for_trust(self.ad, self.master) - - # create windows side of trust using netdom.exe utility - self.ad.run_command( - ['netdom.exe', 'trust', self.master.domain.name, - '/d:' + self.ad.domain.name, - '/passwordt:' + self.shared_secret, '/add', '/oneside:TRUSTED']) - - # create ipa side of trust - tasks.establish_trust_with_ad( - self.master, self.ad_domain, shared_secret=self.shared_secret, - extra_args=['--range-type', 'ipa-ad-trust', '--external=True']) - - def test_trustdomains_found_in_external_trust_with_shared_secret(self): - result = self.master.run_command( - ['ipa', 'trust-fetch-domains', self.ad.domain.name], - raiseonerr=False) - assert result.returncode == 1 - self.check_trustdomains( - self.ad_domain, [self.ad_domain]) - - def test_user_uid_resolution_in_external_trust_with_shared_secret(self): - """Check that user has SID-generated UID""" - # Using domain name since it is lowercased realm name for AD domains - testuser = 'testuser@%s' % self.ad_domain - result = self.master.run_command(['getent', 'passwd', testuser]) - - # This regex checks that Test User does not have UID 10042 nor belongs - # to the group with GID 10047 - testuser_regex = r"^testuser@%s:\*:(?!10042)(\d+):(?!10047)(\d+):"\ - r"Test User:/home/%s/testuser:%s$"\ - % (re.escape(self.ad_domain), - re.escape(self.ad_domain), - self.default_shell, - ) - - assert re.search( - testuser_regex, result.stdout_text), result.stdout_text - - def test_remove_external_trust_with_shared_secret(self): - self.ad.run_command( - ['netdom.exe', 'trust', self.master.domain.name, - '/d:' + self.ad.domain.name, '/remove', '/oneside:TRUSTED'] - ) - self.remove_trust(self.ad) - tasks.unconfigure_windows_dns_for_trust(self.ad, self.master) - - def test_server_option_with_unreachable_ad(self): - """ - Check trust can be established with partially unreachable AD topology - - The SRV records for AD services can point to hosts unreachable for - ipa master. In this case we must be able to establish trust and - fetch domains list by using "--server" option. - This is the regression test for https://pagure.io/freeipa/issue/7895. - """ - # To simulate Windows Server advertising unreachable hosts in SRV - # records we create specially crafted zone file for BIND DNS server - tasks.backup_file(self.master, paths.NAMED_CONF) - ad_zone = textwrap.dedent(''' - $ORIGIN {ad_dom}. - $TTL 86400 - @ IN A {ad_ip} - IN NS {ad_host}. - IN SOA {ad_host}. hostmaster.{ad_dom}. 39 900 600 86400 3600 - _msdcs IN NS {ad_host}. - _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 unreachable.{ad_dom}. - _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 unreachable.{ad_dom}. - _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 unreachable.{ad_dom}. - _gc._tcp IN SRV 0 100 3268 unreachable.{ad_dom}. - _kerberos._tcp IN SRV 0 100 88 unreachable.{ad_dom}. - _kpasswd._tcp IN SRV 0 100 464 unreachable.{ad_dom}. - _ldap._tcp IN SRV 0 100 389 unreachable.{ad_dom}. - _kerberos._udp IN SRV 0 100 88 unreachable.{ad_dom}. - _kpasswd._udp IN SRV 0 100 464 unreachable.{ad_dom}. - ad1 IN A {ad_ip} - unreachable IN A {unreachable} - DomainDnsZones IN A {ad_ip} - _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. - _ldap._tcp.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. - ForestDnsZones IN A {ad_ip} - _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. - _ldap._tcp.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. - '''.format( # noqa: E501 - ad_ip=self.ad.ip, unreachable='192.168.254.254', - ad_host=self.ad.hostname, ad_dom=self.ad.domain.name)) - ad_zone_file = tasks.create_temp_file(self.master, directory='/etc') - self.master.put_file_contents(ad_zone_file, ad_zone) - self.master.run_command( - ['chmod', '--reference', paths.NAMED_CONF, ad_zone_file]) - self.master.run_command( - ['chown', '--reference', paths.NAMED_CONF, ad_zone_file]) - named_conf = self.master.get_file_contents(paths.NAMED_CONF, - encoding='utf-8') - named_conf += textwrap.dedent(''' - zone "ad.test" {{ - type master; - file "{}"; - }}; - '''.format(ad_zone_file)) - self.master.put_file_contents(paths.NAMED_CONF, named_conf) - tasks.restart_named(self.master) - try: - # Check that trust can not be established without --server option - # This checks that our setup is correct - result = self.master.run_command( - ['ipa', 'trust-add', self.ad.domain.name, - '--admin', 'Administrator', '--password'], raiseonerr=False) - assert result.returncode == 1 - assert 'CIFS server communication error: code "3221225653", ' \ - 'message "{Device Timeout}' in result.stderr_text - - # Check that trust is successfully established with --server option - tasks.establish_trust_with_ad( - self.master, self.ad_domain, - extra_args=['--server', self.ad.hostname]) - - # Check domains can not be fetched without --server option - # This checks that our setup is correct - result = self.master.run_command( - ['ipa', 'trust-fetch-domains', self.ad.domain.name], - raiseonerr=False) - assert result.returncode == 1 - assert ('Fetching domains from trusted forest failed' - in result.stderr_text) - - # Check that domains can be fetched with --server option - result = self.master.run_command( - ['ipa', 'trust-fetch-domains', self.ad.domain.name, - '--server', self.ad.hostname], - raiseonerr=False) - assert result.returncode == 1 - assert ('List of trust domains successfully refreshed' - in result.stdout_text) - finally: - tasks.restore_files(self.master) - self.master.run_command(['rm', '-f', ad_zone_file]) - tasks.restart_named(self.master) - tasks.remove_trust_with_ad(self.master, self.ad_domain)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
