URL: https://github.com/SSSD/sssd/pull/5442 Author: sidecontrol Title: #5442: Adding multihost test for supporting asymmetric nsupdate auth Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5442/head:pr5442 git checkout pr5442
From 7a712ad61f9225c60ca9bcced351cf3a38d80c22 Mon Sep 17 00:00:00 2001 From: Dan Lavu <dl...@redhat.com> Date: Sat, 19 Dec 2020 15:50:32 -0500 Subject: [PATCH] Adding multihost test for supporting asymmetric nsupdate auth * https://bugzilla.redhat.com/show_bug.cgi?id=1884301 --- src/tests/multihost/ipa/conftest.py | 39 +++++++++++++++++++++-- src/tests/multihost/ipa/test_misc.py | 47 ++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 2 deletions(-) diff --git a/src/tests/multihost/ipa/conftest.py b/src/tests/multihost/ipa/conftest.py index 446c087311..f65ae765d3 100644 --- a/src/tests/multihost/ipa/conftest.py +++ b/src/tests/multihost/ipa/conftest.py @@ -61,7 +61,38 @@ def remove_ad_user_group(): ad.delete_ad_user_group(ad_user) request.addfinalizer(remove_ad_user_group) - return (ad_user, ad_group) + return ad_user, ad_group + + +@pytest.fixture(scope="function") +def create_reverse_zone(session_multihost, request): + """ Creates reverse zone """ + client_ip = session_multihost.client[0].ip + subnet = client_ip.split(".", 3) + del subnet[-1] + subnet.reverse() + zone = '.'.join(subnet) + '.in-addr.arpa.' + policy = 'grant * tcp-self * PTR' + + cmd_createzone = 'ipa dnszone-add %s ' \ + '--dynamic-update=true ' \ + '--allow-sync-ptr=true ' \ + '--skip-overlap-check ' \ + '--forward-policy=none' % zone + cmd_modifyzone = 'ipa dnszone-mod %s ' \ + '--update-policy=\'%s;\'' % (zone, policy) + session_multihost.master[0].run_command(cmd_createzone, + raiseonerr=False) + session_multihost.master[0].run_command(cmd_modifyzone, + raiseonerr=False) + + def remove_reverse_zone(): + """ removes reverse zone """ + cmd_removezone = 'ipa dnszone-del %s' % zone + session_multihost.master[0].run_command(cmd_removezone, + raiseonerr=False) + + request.addfinalizer(remove_reverse_zone) @pytest.fixture(scope="function") @@ -147,7 +178,7 @@ def default_ipa_users(session_multihost, request): 'loginname': 'foobar%d' % i, 'default_password': 'RedHat@123', 'reset_password': 'Secret123'} - useradd = "echo '%s' | ipa user-add --first %s "\ + useradd = "echo '%s' | ipa user-add --first %s " \ " --last %s --password %s" % (user_info['default_password'], user_info['firstname'], user_info['lastname'], @@ -162,6 +193,7 @@ def remove_ipa_users(): user = 'foobar%d' % i cmd = 'ipa user-del foobar%d' % i session_multihost.master[0].run_command(cmd) + request.addfinalizer(remove_ipa_users) @@ -193,6 +225,7 @@ def allow_all_hbac(): session_multihost.master[0].run_command(allow_all) except CalledProcessError: pytest.fail("Failed to enable allow_all rule") + request.addfinalizer(allow_all_hbac) @@ -226,6 +259,7 @@ def remove_users(): """ Remove AD users """ del_cmd = 'powershell -inputformat none -noprofile ./remove-users.ps1' session_multihost.ad[0].run_command(del_cmd, raiseonerr=False) + request.addfinalizer(remove_users) @@ -247,6 +281,7 @@ def remove_ad_groups(): """ Remove AD Groups """ del_cmd = 'powershell -inputformat none -noprofile ./remove-groups.ps1' session_multihost.ad[0].run_command(del_cmd, raiseonerr=False) + request.addfinalizer(remove_ad_groups) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index a15ac5f08a..f199f2fc92 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -8,6 +8,7 @@ import pytest import time +from sssd.testlib.ipa.utils import ipaTools from sssd.testlib.common.utils import sssdTools from sssd.testlib.common.exceptions import SSSDException import re @@ -133,3 +134,49 @@ def test_filter_groups(self, multihost, default_ipa_groups, str(gid_start+4), str(gid_start+5)]), \ "The unexpected gid found in the id output!" + + def test_asymmetric_auth_for_nsupdate(self, multihost, + create_reverse_zone): + """ + @Title: Support asymmetric auth for nsupdate + @Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1884301 + """ + client = sssdTools(multihost.client[0]) + client_hostname = multihost.client[0].sys_hostname + server_hostname = multihost.master[0].sys_hostname + client_l = client_hostname.split('.', 1) + client_hostname_short = client_l[0] + client_ip = multihost.client[0].ip + subnet = client_ip.split('.', 3) + del subnet[-1] + subnet.reverse() + zone = '.'.join(subnet) + '.in-addr.arpa.' + + domain_name = client.get_domain_section_name() + client.sssd_conf( + 'domain/%s' % domain_name, + {'dyndns_force_tcp': 'true', + 'dyndns_update': 'true', + 'dyndns_update_ptr': 'true', + 'dyndns_refresh_interval': '5', + 'dyndns_auth_ptr': 'None', + 'dyndns_server': '%s' % server_hostname}) + cmd_del_record = 'ipa dnsrecord-del %s %s --del-all' % \ + (domain_name, client_hostname_short) + multihost.master[0].run_command(cmd_del_record, raiseonerr=False) + + client.remove_sss_cache('/var/lib/sss/db') + multihost.client[0].service_sssd('restart') + time.sleep(10) + + cmd_check_arecord = 'nslookup %s' % client_hostname + cmd_check_ptrrecord = 'nslookup %s' % client_ip + + rc_arecord = multihost.client[0].run_command(cmd_check_arecord, + raiseonerr=False) + rc_ptrrecord = multihost.client[0].run_command(cmd_check_ptrrecord, + raiseonerr=False) + assert rc_arecord.returncode == 0 + assert client_ip in rc_arecord.stdout_text + assert rc_ptrrecord.returncode == 0 + assert client_hostname in rc_ptrrecord.stdout_text
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
