From ab4fe72e38034ec9bde358006c174146fefe6150 Mon Sep 17 00:00:00 2001 From: Adam Samalik Date: Thu, 23 Feb 2023 11:47:58 +0000 Subject: [PATCH] update modulemd etc --- .gitignore | 0 gating.yaml | 9 ++ idm.yaml | 103 +++++++++++++++++++++++ tests/python-qrcode/test_ipa_otptoken.py | 30 +++++++ tests/python-yubico/test_ipa_yubikey.py | 28 ++++++ tests/pyusb/test_ipa_yubico_api.py | 33 ++++++++ tests/sanity/runtest.sh | 8 ++ tests/tests.yml | 50 +++++++++++ 8 files changed, 261 insertions(+) create mode 100644 .gitignore create mode 100644 gating.yaml create mode 100644 idm.yaml create mode 100755 tests/python-qrcode/test_ipa_otptoken.py create mode 100755 tests/python-yubico/test_ipa_yubikey.py create mode 100755 tests/pyusb/test_ipa_yubico_api.py create mode 100644 tests/sanity/runtest.sh create mode 100644 tests/tests.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..2d5ecb6 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,9 @@ +# recipients: abokovoy, twoerner, rcritten, ftrivino +--- !Policy +product_versions: + - rhel-8 +decision_context: osci_compose_gate_modules +subject_type: redhat-module +rules: + - !PassingTestCaseRule {test_case_name: baseos-ci.redhat-module.tier0.functional} + - !PassingTestCaseRule {test_case_name: idm-ci.redhat-module.tier1.functional} diff --git a/idm.yaml b/idm.yaml new file mode 100644 index 0000000..fe2425b --- /dev/null +++ b/idm.yaml @@ -0,0 +1,103 @@ +--- +document: modulemd +version: 2 +data: + stream: DL1 + summary: The Red Hat Enterprise Linux Identity Management system module + description: >- + RHEL IdM is an integrated solution to provide centrally managed Identity (users, + hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, + SELinux user roles, services). The solution provides features for further integration + with Linux based clients (SUDO, automount) and integration with Active Directory + based infrastructures (Trusts). + license: + module: + - MIT + dependencies: + - buildrequires: + 389-ds: [1.4] + httpd: [2.4] + pki-core: [10.6] + platform: [el8] + requires: + 389-ds: [1.4] + httpd: [2.4] + pki-core: [10.6] + platform: [el8] + references: + community: https://www.freeipa.org/ + documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index + tracker: https://pagure.io/freeipa/issues + profiles: + adtrust: + description: RHEL IdM Server Integration with Active Directory + rpms: + - ipa-healthcheck + - ipa-healthcheck-core + - ipa-server-trust-ad + client: + description: RHEL IdM Client + rpms: + - ipa-client + common: + description: A default profile for RHEL IdM client + rpms: + - ipa-client + dns: + description: RHEL IdM with integrated DNS server and integrated CA + rpms: + - ipa-healthcheck + - ipa-healthcheck-core + - ipa-server + - ipa-server-dns + server: + description: Base RHEL IdM Server with integrated CA and no integrated DNS + rpms: + - ipa-healthcheck + - ipa-healthcheck-core + - ipa-server + components: + rpms: + bind-dyndb-ldap: + rationale: Driver for BIND to store DNS information in LDAP + ref: stream-idm-DL1-rhel-8.8.0 + custodia: + rationale: Remote access to secrets and credentials in IdM topology + ref: stream-idm-DL1-rhel-8.8.0 + buildorder: 2 + ipa: + rationale: Module API + ref: stream-idm-DL1-rhel-8.8.0 + ipa-healthcheck: + rationale: A tool to detect issues in IdM clusters + ref: stream-DL1-rhel-8.8.0 + buildorder: 3 + opendnssec: + rationale: An implementation of DNSSEC support for IdM integrated DNS server + ref: stream-idm-DL1-rhel-8.8.0 + python-jwcrypto: + rationale: JSON Web Cryptographic Tokens used by Custodia + ref: stream-idm-DL1-rhel-8.8.0 + buildorder: 1 + python-kdcproxy: + rationale: MS-KKDCP (kerberos proxy) WSGI module + ref: stream-idm-DL1-rhel-8.8.0 + python-qrcode: + rationale: QR code generator for IdM two-factor authentication + ref: stream-idm-DL1-rhel-8.8.0 + python-yubico: + rationale: Support for Yubikey-based tokens for IdM two-factor authentication + ref: stream-idm-DL1-rhel-8.8.0 + buildorder: 2 + pyusb: + rationale: Python USB support to access USB tokens for IdM two-factor authentication + ref: stream-idm-DL1-rhel-8.8.0 + buildorder: 1 + slapi-nis: + rationale: Compatibility plugin to serve legacy clients + ref: stream-idm-DL1-rhel-8.8.0 + arches: [aarch64, ppc64le, s390x, x86_64] + softhsm: + rationale: Software version of a PKCS#11 Hardware Security Module + ref: stream-idm-DL1-rhel-8.8.0 +... diff --git a/tests/python-qrcode/test_ipa_otptoken.py b/tests/python-qrcode/test_ipa_otptoken.py new file mode 100755 index 0000000..0c9e0b4 --- /dev/null +++ b/tests/python-qrcode/test_ipa_otptoken.py @@ -0,0 +1,30 @@ +#!/usr/libexec/platform-python +"""Simple test for APIs used by python3-qrcode +""" +import io +import logging +import hashlib + +import qrcode + +logging.basicConfig(level=logging.INFO) +log = logging.getLogger() + +TEXT = "example data" +HASH = "4d0186bad6cb0ea83f634959bba9bd2494f2b15cc785285e0914521246452e06" + + +def main(): + qr_output = io.StringIO() + qr = qrcode.QRCode() + qr.add_data(TEXT) + qr.make() + qr.print_ascii(out=qr_output, tty=False) + value = qr_output.getvalue() + print(value) + assert hashlib.sha256(value.encode('utf-8')).hexdigest() == HASH + log.info("PASS") + + +if __name__ == "__main__": + main() diff --git a/tests/python-yubico/test_ipa_yubikey.py b/tests/python-yubico/test_ipa_yubikey.py new file mode 100755 index 0000000..df8dda5 --- /dev/null +++ b/tests/python-yubico/test_ipa_yubikey.py @@ -0,0 +1,28 @@ +#!/usr/libexec/platform-python +"""Simple test for APIs used by IPA's otptoken plugin +""" +import logging + +import yubico +import usb.core + +logging.basicConfig(level=logging.INFO) +log = logging.getLogger() + + +def main(): + try: + yk = yubico.find_yubikey() + except usb.core.USBError as e: + log.info(e) + except yubico.yubikey.YubiKeyError as e: + log.info(e) + else: + assert yk.version_num() + log.info(yk.status()) + log.info(yk.status().valid_configs()) + log.info("PASS") + + +if __name__ == "__main__": + main() diff --git a/tests/pyusb/test_ipa_yubico_api.py b/tests/pyusb/test_ipa_yubico_api.py new file mode 100755 index 0000000..593152b --- /dev/null +++ b/tests/pyusb/test_ipa_yubico_api.py @@ -0,0 +1,33 @@ +#!/usr/libexec/platform-python +"""Simple test for APIs used by python-yubico +""" +import logging + +import usb.core +import usb.legacy + +logging.basicConfig(level=logging.INFO) +log = logging.getLogger() + + +def main(): + for d in usb.core.find(find_all=True): + usb_device = usb.legacy.Device(d) + # import pdb; pdb.set_trace() + log.info(vars(usb_device)) + assert usb_device.idVendor + assert usb_device.idProduct + usb_conf = usb_device.configurations[0] + log.info(vars(usb_conf)) + usb_int = usb_conf.interfaces[0][0] + try: + usb_handle = usb_device.open() + assert usb_handle.controlMsg.__call__ + usb_handle.releaseInterface() + except usb.core.USBError: + log.info("Unable to open USB device") + log.info("PASS") + + +if __name__ == "__main__": + main() diff --git a/tests/sanity/runtest.sh b/tests/sanity/runtest.sh new file mode 100644 index 0000000..490cbae --- /dev/null +++ b/tests/sanity/runtest.sh @@ -0,0 +1,8 @@ +#!/bin/sh -eux + +systemctl unmask gssproxy +ipa-server-install --hostname=$(hostname) -r EXAMPLE.TEST -n example.test --setup-dns --no-forwarders --allow-zone-overlap -p Secret123 -a Secret123 -U +echo Secret123 | kinit admin +ipa config-show +ipa-server-install --uninstall -U + diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..05688e4 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,50 @@ +--- +- hosts: localhost + tags: + - classic + pre_tasks: + - name: Enable brewroot repository (so we have all latest packages available) + command: dnf config-manager --set-enabled baseos-ci-tag-repository + args: + warn: false + - name: Enable IDM module + command: dnf module enable -y idm:DL1 + args: + warn: false + - name: Install IDM packages + command: dnf module install -y idm:DL1/server idm:DL1/dns + args: + warn: false + - name: Get Custodia version + command: rpm -q --qf '%{VERSION}' custodia + args: + warn: false + register: custodia_version + roles: + - role: standard-test-basic + required_packages: + - sudo + # pytest for Custodia testing + - python3-pytest + repositories: + - repo: "https://github.com/latchset/custodia.git" + dest: "custodia_git" + # tag name is e.g. "v0.6.0" + version: "v{{ custodia_version.stdout }}" + tests: + - sanity + #- custodia_setup: + # dir: "custodia_git" + # run: "cd tests/ca && ./custodia-ca.sh" + #- custodia: + # dir: "custodia_git" + # run: "pytest-3 -k 'not test_client_no_client_cert' tests/" + - python_qrcode: + dir: "python-qrcode" + run: "./test_ipa_otptoken.py" + - python_yubico: + dir: "python-yubico" + run: "./test_ipa_yubikey.py" + - pyusb: + dir: "pyusb" + run: "./test_ipa_yubico_api.py"