c14a06
From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
c14a06
From: Anuja More <amore@redhat.com>
c14a06
Date: Mon, 9 Aug 2021 20:57:22 +0530
c14a06
Subject: [PATCH] ipatests: Test unsecure nsupdate.
c14a06
c14a06
The test configures an external bind server on the ipa-server
c14a06
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
c14a06
c14a06
When the IPA client is registered using ipa-client-install,
c14a06
DNS records are added for the client in the bind server using nsupdate.
c14a06
The first try is using GSS-TIG but fails as expected, and the client
c14a06
installer then tries with unauthenticated nsupdate.
c14a06
c14a06
Related : https://pagure.io/freeipa/issue/8402
c14a06
c14a06
Signed-off-by: Anuja More <amore@redhat.com>
c14a06
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
c14a06
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
c14a06
---
c14a06
 .../test_installation_client.py               | 118 ++++++++++++++++++
c14a06
 1 file changed, 118 insertions(+)
c14a06
c14a06
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
c14a06
index fa59a5255..014b0f6ab 100644
c14a06
--- a/ipatests/test_integration/test_installation_client.py
c14a06
+++ b/ipatests/test_integration/test_installation_client.py
c14a06
@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
c14a06
 
c14a06
 from __future__ import absolute_import
c14a06
 
c14a06
+import pytest
c14a06
+import re
c14a06
 import shlex
c14a06
+import textwrap
c14a06
 
c14a06
+from ipaplatform.paths import paths
c14a06
 from ipatests.test_integration.base import IntegrationTest
c14a06
 from ipatests.pytest_ipa.integration import tasks
c14a06
+from ipatests.pytest_ipa.integration.firewall import Firewall
c14a06
 
c14a06
 
c14a06
 class TestInstallClient(IntegrationTest):
c14a06
@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
c14a06
                              extra_args=['--ssh-trust-dns'])
c14a06
         result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
c14a06
         assert 'HostKeyAlgorithms' not in result.stdout_text
c14a06
+
c14a06
+
c14a06
+class TestClientInstallBind(IntegrationTest):
c14a06
+    """
c14a06
+    The test configures an external bind server on the ipa-server
c14a06
+    (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
c14a06
+    When the IPA client is registered using ipa-client-install,
c14a06
+    DNS records are added for the client in the bind server using nsupdate.
c14a06
+    The first try is using GSS-TIG but fails as expected, and the client
c14a06
+    installer then tries with unauthenticated nsupdate.
c14a06
+    """
c14a06
+
c14a06
+    num_clients = 1
c14a06
+
c14a06
+    @classmethod
c14a06
+    def install(cls, mh):
c14a06
+        cls.client = cls.clients[0]
c14a06
+
c14a06
+    @pytest.fixture
c14a06
+    def setup_bindserver(self):
c14a06
+        bindserver = self.master
c14a06
+        named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
c14a06
+        # create a zone in the BIND server that is identical to the IPA
c14a06
+        add_zone = textwrap.dedent("""
c14a06
+        zone "{domain}" IN {{ type master;
c14a06
+        file "{domain}.db"; allow-query {{ any; }};
c14a06
+        allow-update {{ any; }}; }};
c14a06
+        """).format(domain=bindserver.domain.name)
c14a06
+
c14a06
+        namedcfg = bindserver.get_file_contents(
c14a06
+            paths.NAMED_CONF, encoding='utf-8')
c14a06
+        namedcfg += '\n' + add_zone
c14a06
+        bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
c14a06
+
c14a06
+        def update_contents(path, pattern, replace):
c14a06
+            contents = bindserver.get_file_contents(path, encoding='utf-8')
c14a06
+            namedcfg_query = re.sub(pattern, replace, contents)
c14a06
+            bindserver.put_file_contents(path, namedcfg_query)
c14a06
+
c14a06
+        update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
c14a06
+        update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
c14a06
+                        "#listen-on port 53 { 127.0.0.1; };")
c14a06
+        update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
c14a06
+                        "#listen-on-v6 port 53 { ::1; };")
c14a06
+
c14a06
+        add_records = textwrap.dedent("""
c14a06
+        @   IN  SOA     {fqdn}. root.{domain}. (
c14a06
+        1001    ;Serial
c14a06
+        3H      ;Refresh
c14a06
+        15M     ;Retry
c14a06
+        1W      ;Expire
c14a06
+        1D      ;Minimum 1D
c14a06
+        )
c14a06
+        @      IN  NS      {fqdn}.
c14a06
+        ns1 IN  A       {bindserverip}
c14a06
+        _kerberos.{domain}. IN TXT {zoneupper}
c14a06
+        {fqdn}.    IN  A       {bindserverip}
c14a06
+        ipa-ca.{domain}.        IN  A       {bindserverip}
c14a06
+        _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
c14a06
+        _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
c14a06
+        _kerberos._tcp.{domain}. 	IN SRV 0 100 88 {fqdn}.
c14a06
+        _kerberos._udp.{domain}. 	IN SRV 0 100 88 {fqdn}.
c14a06
+        _kpasswd._tcp.{domain}. 	IN SRV 0 100 464 {fqdn}.
c14a06
+        _kpasswd._udp.{domain}. 	IN SRV 0 100 464 {fqdn}.
c14a06
+        _ldap._tcp.{domain}. 		IN SRV 0 100 389 {fqdn}.
c14a06
+        """).format(
c14a06
+            fqdn=bindserver.hostname,
c14a06
+            domain=bindserver.domain.name,
c14a06
+            bindserverip=bindserver.ip,
c14a06
+            zoneupper=bindserver.domain.name.upper()
c14a06
+        )
c14a06
+        bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
c14a06
+        bindserver.put_file_contents(bindserverdb, add_records)
c14a06
+        bindserver.run_command(['systemctl', 'start', 'named'])
c14a06
+        Firewall(bindserver).enable_services(["dns"])
c14a06
+        yield
c14a06
+        named_conf_backup.restore()
c14a06
+        bindserver.run_command(['rm', '-rf', bindserverdb])
c14a06
+
c14a06
+    def test_client_nsupdate(self, setup_bindserver):
c14a06
+        """Test secure nsupdate failed, then try unsecure nsupdate..
c14a06
+
c14a06
+        Test to verify when bind is configured with dynamic update policy,
c14a06
+        and during client-install 'nsupdate -g' fails then it should run with
c14a06
+        second call using unauthenticated nsupdate.
c14a06
+
c14a06
+        Related : https://pagure.io/freeipa/issue/8402
c14a06
+        """
c14a06
+        # with pre-configured bind server, install ipa-server without dns.
c14a06
+        tasks.install_master(self.master, setup_dns=False)
c14a06
+        self.client.resolver.backup()
c14a06
+        self.client.resolver.setup_resolver(
c14a06
+            self.master.ip, self.master.domain.name)
c14a06
+        try:
c14a06
+            self.client.run_command(['ipa-client-install', '-U',
c14a06
+                                     '--domain', self.client.domain.name,
c14a06
+                                     '--realm', self.client.domain.realm,
c14a06
+                                     '-p', self.client.config.admin_name,
c14a06
+                                     '-w', self.client.config.admin_password,
c14a06
+                                     '--server', self.master.hostname])
c14a06
+            # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
c14a06
+            str1 = "nsupdate (GSS-TSIG) failed"
c14a06
+            str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
c14a06
+            client_log = self.client.get_file_contents(
c14a06
+                paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
c14a06
+            )
c14a06
+            assert str1 in client_log and str2 in client_log
c14a06
+            dig_after = self.client.run_command(
c14a06
+                ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
c14a06
+                 '-t', 'SSHFP'])
c14a06
+            assert "ANSWER: 0" not in dig_after.stdout_text.strip()
c14a06
+        finally:
c14a06
+            self.client.resolver.restore()
c14a06
-- 
c14a06
2.31.1
c14a06