rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity
250c717508
ipa/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch

382 lines
14 KiB
Diff
Raw Normal View History

import ipa-4.9.2-3.module+el8.4.0+10412+5ecb5b37
2021-03-31 15:25:37 +00:00
From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 11 Dec 2020 07:35:59 +0200
Subject: [PATCH] ipatests: add TestInstallWithoutSudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Test IPA servers and clients behavior when sudo is not installed.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../nightly_ipa-4-9_latest.yaml | 12 ++++
.../nightly_ipa-4-9_latest_selinux.yaml | 13 ++++
.../nightly_ipa-4-9_previous.yaml | 12 ++++
.../test_integration/test_installation.py | 66 +++++++++++++++++++
4 files changed, 103 insertions(+)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 3acd6a13c..d91b16cab 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -535,6 +535,18 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index c01192cf5..8adb06d0c 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -575,6 +575,19 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index a6ea24f6a..2b5d4fd5e 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -535,6 +535,18 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-previous-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-previous
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-previous-ipa-4-9/test_idviews:
requires: [fedora-previous-ipa-4-9/build]
priority: 50
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index eb6f7d78e..6e8af024c 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest):
self.replicas[0].hostname],
stdin_text=dirman_password)
assert self.replicas[0].hostname not in cmd.stdout_text
+
+
+class TestInstallWithoutSudo(IntegrationTest):
+
+ num_clients = 1
+ num_replicas = 1
+ no_sudo_str = "The sudo binary does not seem to be present on this"
+
+ @classmethod
+ def install(cls, mh):
+ pass
+
+ def test_sudo_removal(self):
+ # ipa-client makes sudo depend on libsss_sudo.
+
+ # --nodeps is mandatory because dogtag uses sudo at install
+ # time until commit 49585867207922479644a03078c29548de02cd03
+ # which is scheduled to land in 10.10.
+
+ # This also means sudo+libsss_sudo cannot be uninstalled on
+ # IPA servers with a CA.
+ assert tasks.is_package_installed(self.clients[0], 'sudo')
+ assert tasks.is_package_installed(self.clients[0], 'libsss_sudo')
+ tasks.uninstall_packages(
+ self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True
+ )
+
+ def test_ipa_installation_without_sudo(self):
+ # FixMe: When Dogtag 10.10 is out, test installation without sudo
+ tasks.install_master(self.master, setup_dns=True)
+
+ def test_replica_installation_without_sudo(self):
+ # FixMe: When Dogtag 10.10 is out, test replica installation
+ # without sudo and with CA
+ tasks.uninstall_packages(
+ self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True
+ )
+ # One-step install is needed.
+ # With promote=True, two-step install is done and that only captures
+ # the ipa-replica-install stdout/stderr, not ipa-client-install's.
+ result = tasks.install_replica(
+ self.master, self.replicas[0], promote=False,
+ setup_dns=True, setup_ca=False
+ )
+ assert self.no_sudo_str in result.stderr_text
+
+ def test_client_installation_without_sudo(self):
+ result = tasks.install_client(self.master, self.clients[0])
+ assert self.no_sudo_str in result.stderr_text
+
+ def test_remove_sudo_on_ipa(self):
+ tasks.uninstall_packages(
+ self.master, ['sudo', 'libsss_sudo'], nodeps=True
+ )
+ self.master.run_command(
+ ['ipactl', 'restart']
+ )
+
+ def test_install_sudo_on_client(self):
+ """ Check that installing sudo pulls libsss_sudo in"""
+ for pkg in ('sudo', 'libsss_sudo'):
+ assert tasks.is_package_installed(self.clients[0], pkg) is False
+ tasks.uninstall_client(self.clients[0])
+ tasks.install_packages(self.clients[0], ['sudo'])
+ for pkg in ('sudo', 'libsss_sudo'):
+ assert tasks.is_package_installed(self.clients[0], pkg)
--
2.29.2
From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 08:35:12 +0200
Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.
Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++-----
1 file changed, 41 insertions(+), 10 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index b91859816..2fe78367f 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -29,6 +29,7 @@ import re
import collections
import itertools
import shutil
+import shlex
import copy
import subprocess
import tempfile
@@ -2381,20 +2382,33 @@ def download_packages(host, pkgs):
return tmpdir
-def uninstall_packages(host, pkgs):
+def uninstall_packages(host, pkgs, nodeps=False):
"""Uninstall packages on a remote host.
- :param host: the host where the uninstallation takes place
- :param pkgs: packages to uninstall, provided as a list of strings
+ :param host: the host where the uninstallation takes place.
+ :param pkgs: packages to uninstall, provided as a list of strings.
+ :param nodeps: ignore dependencies (dangerous!).
"""
platform = get_platform(host)
- # Only supports RHEL 8+ and Fedora for now
- if platform in ('rhel', 'fedora'):
- install_cmd = ['/usr/bin/dnf', 'remove', '-y']
- elif platform in ('ubuntu'):
- install_cmd = ['apt-get', 'remove', '-y']
+ if platform not in ('rhel', 'fedora', 'ubuntu'):
+ raise ValueError('uninstall_packages: unknown platform %s' % platform)
+ if nodeps:
+ if platform in ('rhel', 'fedora'):
+ cmd = "rpm -e --nodeps"
+ elif platform in ('ubuntu'):
+ cmd = "dpkg -P --force-depends"
+ for package in pkgs:
+ uninstall_cmd = shlex.split(cmd)
+ uninstall_cmd.append(package)
+ # keep raiseonerr=True here. --fcami
+ host.run_command(uninstall_cmd)
else:
- raise ValueError('install_packages: unknown platform %s' % platform)
- host.run_command(install_cmd + pkgs, raiseonerr=False)
+ if platform in ('rhel', 'fedora'):
+ cmd = "/usr/bin/dnf remove -y"
+ elif platform in ('ubuntu'):
+ cmd = "apt-get remove -y"
+ uninstall_cmd = shlex.split(cmd)
+ uninstall_cmd.extend(pkgs)
+ host.run_command(uninstall_cmd, raiseonerr=False)
def wait_for_request(host, request_id, timeout=120):
@@ -2649,3 +2663,20 @@ def run_ssh_cmd(
assert "Authentication succeeded" not in stderr
assert "No more authentication methods to try." in stderr
return (return_code, stdout, stderr)
+
+
+def is_package_installed(host, pkg):
+ platform = get_platform(host)
+ if platform in ('rhel', 'fedora'):
+ result = host.run_command(
+ ['rpm', '-q', pkg], raiseonerr=False
+ )
+ elif platform in ['ubuntu']:
+ result = host.run_command(
+ ['dpkg', '-s', pkg], raiseonerr=False
+ )
+ else:
+ raise ValueError(
+ 'is_package_installed: unknown platform %s' % platform
+ )
+ return result.returncode == 0
--
2.29.2
From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 08:15:22 +0200
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaclient/install/client.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 8acfa0cd1..0e478fa26 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -24,6 +24,7 @@ import re
import SSSDConfig
import shutil
import socket
+import subprocess
import sys
import tempfile
import textwrap
@@ -2200,7 +2201,18 @@ def install_check(options):
"authentication resources",
rval=CLIENT_INSTALL_ERROR)
- # when installing with '--no-sssd' option, check whether nss-ldap is
+ # When installing without the "--no-sudo" option, check whether sudo is
+ # available.
+ if options.conf_sudo:
+ try:
+ subprocess.Popen(['sudo -V'])
+ except FileNotFoundError:
+ logger.info(
+ "The sudo binary does not seem to be present on this "
+ "system. Please consider installing sudo if required."
+ )
+
+ # when installing with the '--no-sssd' option, check whether nss-ldap is
# installed
if not options.sssd:
if not os.path.exists(paths.PAM_KRB5_SO):
--
2.29.2
From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 07:55:16 +0200
Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
freeipa.spec.in | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ba52a3834..93e473ac4 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -640,6 +640,11 @@ Requires: nfs-utils
Requires: sssd-tools >= %{sssd_version}
Requires(post): policycoreutils
+# https://pagure.io/freeipa/issue/8530
+Recommends: libsss_sudo
+Recommends: sudo
+Requires: (libsss_sudo if sudo)
+
Provides: %{alt_name}-client = %{version}
Conflicts: %{alt_name}-client
Obsoletes: %{alt_name}-client < %{version}
--
2.29.2
Reference in New Issue Copy Permalink