From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 11 Dec 2020 07:35:59 +0200 Subject: [PATCH] ipatests: add TestInstallWithoutSudo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Test IPA servers and clients behavior when sudo is not installed. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Armando Neto Reviewed-By: Michal Polovka Reviewed-By: Alexander Bokovoy Reviewed-By: Armando Neto Reviewed-By: Michal Polovka Reviewed-By: Florence Blanc-Renaud --- .../nightly_ipa-4-9_latest.yaml | 12 ++++ .../nightly_ipa-4-9_latest_selinux.yaml | 13 ++++ .../nightly_ipa-4-9_previous.yaml | 12 ++++ .../test_integration/test_installation.py | 66 +++++++++++++++++++ 4 files changed, 103 insertions(+) diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml index 3acd6a13c..d91b16cab 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml @@ -535,6 +535,18 @@ jobs: timeout: 10800 topology: *master_1repl + fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo: + requires: [fedora-latest-ipa-4-9/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-latest-ipa-4-9/build_url}' + test_suite: test_integration/test_installation.py::TestInstallWithoutSudo + template: *ci-ipa-4-9-latest + timeout: 4800 + topology: *master_1repl_1client + fedora-latest-ipa-4-9/test_idviews: requires: [fedora-latest-ipa-4-9/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml index c01192cf5..8adb06d0c 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml @@ -575,6 +575,19 @@ jobs: timeout: 10800 topology: *master_1repl + fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo: + requires: [fedora-latest-ipa-4-9/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-latest-ipa-4-9/build_url}' + selinux_enforcing: True + test_suite: test_integration/test_installation.py::TestInstallWithoutSudo + template: *ci-ipa-4-9-latest + timeout: 4800 + topology: *master_1repl_1client + fedora-latest-ipa-4-9/test_idviews: requires: [fedora-latest-ipa-4-9/build] priority: 50 diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml index a6ea24f6a..2b5d4fd5e 100644 --- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml +++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml @@ -535,6 +535,18 @@ jobs: timeout: 10800 topology: *master_1repl + fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo: + requires: [fedora-previous-ipa-4-9/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-previous-ipa-4-9/build_url}' + test_suite: test_integration/test_installation.py::TestInstallWithoutSudo + template: *ci-ipa-4-9-previous + timeout: 4800 + topology: *master_1repl_1client + fedora-previous-ipa-4-9/test_idviews: requires: [fedora-previous-ipa-4-9/build] priority: 50 diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index eb6f7d78e..6e8af024c 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest): self.replicas[0].hostname], stdin_text=dirman_password) assert self.replicas[0].hostname not in cmd.stdout_text + + +class TestInstallWithoutSudo(IntegrationTest): + + num_clients = 1 + num_replicas = 1 + no_sudo_str = "The sudo binary does not seem to be present on this" + + @classmethod + def install(cls, mh): + pass + + def test_sudo_removal(self): + # ipa-client makes sudo depend on libsss_sudo. + + # --nodeps is mandatory because dogtag uses sudo at install + # time until commit 49585867207922479644a03078c29548de02cd03 + # which is scheduled to land in 10.10. + + # This also means sudo+libsss_sudo cannot be uninstalled on + # IPA servers with a CA. + assert tasks.is_package_installed(self.clients[0], 'sudo') + assert tasks.is_package_installed(self.clients[0], 'libsss_sudo') + tasks.uninstall_packages( + self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True + ) + + def test_ipa_installation_without_sudo(self): + # FixMe: When Dogtag 10.10 is out, test installation without sudo + tasks.install_master(self.master, setup_dns=True) + + def test_replica_installation_without_sudo(self): + # FixMe: When Dogtag 10.10 is out, test replica installation + # without sudo and with CA + tasks.uninstall_packages( + self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True + ) + # One-step install is needed. + # With promote=True, two-step install is done and that only captures + # the ipa-replica-install stdout/stderr, not ipa-client-install's. + result = tasks.install_replica( + self.master, self.replicas[0], promote=False, + setup_dns=True, setup_ca=False + ) + assert self.no_sudo_str in result.stderr_text + + def test_client_installation_without_sudo(self): + result = tasks.install_client(self.master, self.clients[0]) + assert self.no_sudo_str in result.stderr_text + + def test_remove_sudo_on_ipa(self): + tasks.uninstall_packages( + self.master, ['sudo', 'libsss_sudo'], nodeps=True + ) + self.master.run_command( + ['ipactl', 'restart'] + ) + + def test_install_sudo_on_client(self): + """ Check that installing sudo pulls libsss_sudo in""" + for pkg in ('sudo', 'libsss_sudo'): + assert tasks.is_package_installed(self.clients[0], pkg) is False + tasks.uninstall_client(self.clients[0]) + tasks.install_packages(self.clients[0], ['sudo']) + for pkg in ('sudo', 'libsss_sudo'): + assert tasks.is_package_installed(self.clients[0], pkg) -- 2.29.2 From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 10 Dec 2020 08:35:12 +0200 Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Handle package removal without taking dependencies into account. E.g. add frontends for rpm -e --nodeps. Related: ipatests/pytest_ipa/integration/tasks.py Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Armando Neto Reviewed-By: Michal Polovka Reviewed-By: Alexander Bokovoy Reviewed-By: Armando Neto Reviewed-By: Michal Polovka Reviewed-By: Florence Blanc-Renaud --- ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++----- 1 file changed, 41 insertions(+), 10 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index b91859816..2fe78367f 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -29,6 +29,7 @@ import re import collections import itertools import shutil +import shlex import copy import subprocess import tempfile @@ -2381,20 +2382,33 @@ def download_packages(host, pkgs): return tmpdir -def uninstall_packages(host, pkgs): +def uninstall_packages(host, pkgs, nodeps=False): """Uninstall packages on a remote host. - :param host: the host where the uninstallation takes place - :param pkgs: packages to uninstall, provided as a list of strings + :param host: the host where the uninstallation takes place. + :param pkgs: packages to uninstall, provided as a list of strings. + :param nodeps: ignore dependencies (dangerous!). """ platform = get_platform(host) - # Only supports RHEL 8+ and Fedora for now - if platform in ('rhel', 'fedora'): - install_cmd = ['/usr/bin/dnf', 'remove', '-y'] - elif platform in ('ubuntu'): - install_cmd = ['apt-get', 'remove', '-y'] + if platform not in ('rhel', 'fedora', 'ubuntu'): + raise ValueError('uninstall_packages: unknown platform %s' % platform) + if nodeps: + if platform in ('rhel', 'fedora'): + cmd = "rpm -e --nodeps" + elif platform in ('ubuntu'): + cmd = "dpkg -P --force-depends" + for package in pkgs: + uninstall_cmd = shlex.split(cmd) + uninstall_cmd.append(package) + # keep raiseonerr=True here. --fcami + host.run_command(uninstall_cmd) else: - raise ValueError('install_packages: unknown platform %s' % platform) - host.run_command(install_cmd + pkgs, raiseonerr=False) + if platform in ('rhel', 'fedora'): + cmd = "/usr/bin/dnf remove -y" + elif platform in ('ubuntu'): + cmd = "apt-get remove -y" + uninstall_cmd = shlex.split(cmd) + uninstall_cmd.extend(pkgs) + host.run_command(uninstall_cmd, raiseonerr=False) def wait_for_request(host, request_id, timeout=120): @@ -2649,3 +2663,20 @@ def run_ssh_cmd( assert "Authentication succeeded" not in stderr assert "No more authentication methods to try." in stderr return (return_code, stdout, stderr) + + +def is_package_installed(host, pkg): + platform = get_platform(host) + if platform in ('rhel', 'fedora'): + result = host.run_command( + ['rpm', '-q', pkg], raiseonerr=False + ) + elif platform in ['ubuntu']: + result = host.run_command( + ['dpkg', '-s', pkg], raiseonerr=False + ) + else: + raise ValueError( + 'is_package_installed: unknown platform %s' % platform + ) + return result.returncode == 0 -- 2.29.2 From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 10 Dec 2020 08:15:22 +0200 Subject: [PATCH] ipa-client-install: output a warning if sudo is not present MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Armando Neto Reviewed-By: Michal Polovka Reviewed-By: Alexander Bokovoy Reviewed-By: Armando Neto Reviewed-By: Michal Polovka Reviewed-By: Florence Blanc-Renaud --- ipaclient/install/client.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 8acfa0cd1..0e478fa26 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -24,6 +24,7 @@ import re import SSSDConfig import shutil import socket +import subprocess import sys import tempfile import textwrap @@ -2200,7 +2201,18 @@ def install_check(options): "authentication resources", rval=CLIENT_INSTALL_ERROR) - # when installing with '--no-sssd' option, check whether nss-ldap is + # When installing without the "--no-sudo" option, check whether sudo is + # available. + if options.conf_sudo: + try: + subprocess.Popen(['sudo -V']) + except FileNotFoundError: + logger.info( + "The sudo binary does not seem to be present on this " + "system. Please consider installing sudo if required." + ) + + # when installing with the '--no-sssd' option, check whether nss-ldap is # installed if not options.sssd: if not os.path.exists(paths.PAM_KRB5_SO): -- 2.29.2 From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 10 Dec 2020 07:55:16 +0200 Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 10.10+ releases of Dogtag, the PKI installer will not depend on sudo anymore. This opens the possibility of creating IPA servers without a properly configured sudo. In fact, even IPA clients should have sudo and libsss_sudo installed in most cases, so add a weak dependency on both of them to the client subpackage. Also make sure libsss_sudo is installed if sudo is present. Fixes: https://pagure.io/freeipa/issue/8530 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Armando Neto Reviewed-By: Michal Polovka Reviewed-By: Alexander Bokovoy Reviewed-By: Armando Neto Reviewed-By: Michal Polovka Reviewed-By: Florence Blanc-Renaud --- freeipa.spec.in | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index ba52a3834..93e473ac4 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -640,6 +640,11 @@ Requires: nfs-utils Requires: sssd-tools >= %{sssd_version} Requires(post): policycoreutils +# https://pagure.io/freeipa/issue/8530 +Recommends: libsss_sudo +Recommends: sudo +Requires: (libsss_sudo if sudo) + Provides: %{alt_name}-client = %{version} Conflicts: %{alt_name}-client Obsoletes: %{alt_name}-client < %{version} -- 2.29.2