add tests with standard tests interface

tests/inplace-upgrade-sanity-test/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+#   Description: Verifies basic scenarios which should work after inplace upgrade.
+#   Author: Patrik Kis <pkis@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2014 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Patrik Kis <pkis@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Verifies basic scenarios which should work after inplace upgrade." >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        20m" >> $(METADATA)
+	@echo "RunFor:          krb5" >> $(METADATA)
+	@echo "Requires:        expect krb5-server krb5-workstation openssh-clients openssh-server rng-tools" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/inplace-upgrade-sanity-test/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+Description: Verifies basic scenarios which should work after inplace upgrade.
+Author: Patrik Kis <pkis@redhat.com>

tests/inplace-upgrade-sanity-test/kdc.conf

@@ -0,0 +1,19 @@
+[kdcdefaults]
+    kdc_ports = 88
+    kdc_tcp_ports = 88
+
+[realms]
+    ${krb5REALM1} = {
+        #master_key_type = aes256-cts
+        acl_file = /var/kerberos/krb5kdc/kadm5.acl
+        dict_file = /usr/share/dict/words
+        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+        supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+    }
+    ${krb5REALM2}    = {
+        #master_key_type = aes256-cts
+        acl_file = /var/kerberos/krb5kdc/kadm5.acl
+        dict_file = /usr/share/dict/words
+        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+        supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+    }

tests/inplace-upgrade-sanity-test/krb5.conf

@@ -0,0 +1,36 @@
+# To opt out of the system crypto-policies configuration of krb5, remove the
+# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
+includedir /etc/krb5.conf.d/
+
+[logging]
+    default = FILE:/var/log/krb5libs.log
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+    default_realm = ${krb5REALM1}
+    dns_lookup_realm = false
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+    rdns = false
+    default_ccache_name = KEYRING:persistent:%{uid}
+
+[realms]
+    ${krb5REALM1} = {
+        kdc = localhost.localdomain
+        admin_server = localhost.localdomain
+    }
+    ${krb5REALM2} = {
+        kdc = localhost.localdomain
+        admin_server = localhost.localdomain
+    }
+
+[domain_realm]
+    ${krb5HostName} = ${krb5REALM1}
+    ${krb5HostName} = ${krb5REALM2}
+
+[capaths]
+    ${krb5REALM1} = {
+        ${krb5REALM2} = .
+    }

tests/inplace-upgrade-sanity-test/runtest.sh

@@ -0,0 +1,306 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+#   Description: Verifies basic scenarios which should work after inplace upgrade.
+#   Author: Patrik Kis <pkis@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2014 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="krb5"
+PACKAGES="krb5-libs krb5-server krb5-workstation openssh"
+
+TEST_ENTROPY_SOURCE=${TEST_ENTROPY_SOURCE:-no}
+echo TEST_ENTROPY_SOURCE=$TEST_ENTROPY_SOURCE
+
+hostnamectl set-hostname test.fedora.com
+echo "`hostname -I` test.fedora.com" >>/etc/hosts
+
+krb5REALM1='ZMRAZ.COM'
+krb5REALM2='PKIS.NET'
+krb5HostName=`hostname`
+krb5DomainName=`hostname -d`
+krb5User='alice'
+krb5UserPass='alice'
+krb5UserKrbPass='aaa'
+krb5User2='bob'
+krb5User3='carl'
+krb5KDCPass='qwe'
+krb5RootPass='rrr'
+
+krb5conf="/etc/krb5.conf"
+krb5confdir="/etc/krb5.conf.d"
+krb5kdcconf="/var/kerberos/krb5kdc/kdc.conf"
+krb5kadmacl="/var/kerberos/krb5kdc/kadm5.acl"
+
+rlJournalStart
+    rlPhaseStartSetup
+        for pkg in $PACKAGES; do
+            rlAssertRpm $pkg
+        done
+        rlRun "TmpDir=\$(mktemp -d)"
+        rlRun "pushd $TmpDir"
+    rlPhaseEnd
+
+    # Run this part on OLD and in "normal" mode
+    if [[ -z $IN_PLACE_UPGRADE || $IN_PLACE_UPGRADE == old ]]; then
+    rlPhaseStartSetup "KDC and kadmind setup"
+        # Stop and backup
+        rlRun "rlServiceStop kadmin krb5kdc"
+        rlRun "rm -f /var/kerberos/krb5kdc/principal* /var/kerberos/krb5kdc/.k5*"
+        rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc}
+        [ -e /etc/krb5.keytab ] && rlFileBackup /etc/krb5.keytab
+        [ -e $krb5confdir ] && rlFileBackup $krb5confdir
+        # Basic setup of KDC and krb5.conf
+        if rlIsRHEL 6; then
+            rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"
+            rlRun "sed -i \"s/kerberos.example.com/$krb5HostName/\" $krb5conf"
+            rlRun "sed -i \"s/example.com/$krb5DomainName/\" $krb5conf"
+        else
+            rlRun "sed -i \"s/\[libdefaults\]/[libdefaults]\n default_realm = $krb5REALM1/\" $krb5conf"
+            rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM1 = {\n  kdc = $krb5HostName\n  admin_server = $krb5HostName\n }/\" $krb5conf"
+            rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
+        fi
+        rlRun "sed -i s/EXAMPLE.COM/$krb5REALM1/ $krb5kdcconf"
+        # Configure the kadmin ACL
+        rlRun "echo \"*/master@$krb5REALM1  *\" > $krb5kadmacl"
+        # Configure the 2nd realmd
+        cat >>$krb5kdcconf <<_EOF
+
+ $krb5REALM2 = {
+  #master_key_type = aes256-cts
+  database_name = /var/kerberos/krb5kdc/principal.$krb5REALM1
+  acl_file = /var/kerberos/krb5kdc/kadm5.acl
+  dict_file = /usr/share/dict/words
+  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+ }
+_EOF
+        rlIsRHEL 6 || rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf"
+        rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM2 = {\n  kdc = $krb5HostName\n  admin_server = $krb5HostName\n }/\" $krb5conf"
+        cat >> $krb5conf << _EOF
+
+[capaths]
+ $krb5REALM1 = {
+  $krb5REALM2 = .
+ }
+_EOF
+        # Test the entropy source (not relevant for RHEL6)
+        if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
+            rlLog "The source of entropy will be tested as well"
+            START_DATE=`date +%H:%M:%S`
+            echo START_DATE=$START_DATE
+            sleep 1
+            rlRun "auditctl -w /dev/random -p rwxa -k RAND"
+            auditctl -l
+            sleep 1
+            rlRun "ausearch -i -k RAND -ts $START_DATE"
+        fi
+        # Create the realm databases
+        rlRun "rngd -r /dev/urandom"
+        rlRun "kdb5_util create -s -r $krb5REALM1 -P $krb5KDCPass"
+        rlRun "kdb5_util create -s -r $krb5REALM2 -P $krb5KDCPass"
+        # Configure KDC to handle 2 realms
+        if rlIsRHEL 6; then
+            rlRun "echo \"KRB5REALM=$krb5REALM1\" > /etc/sysconfig/krb5kdc"
+            rlRun "echo KRB5KDC_ARGS=\\\"-r $krb5REALM2\\\" >> /etc/sysconfig/krb5kdc"
+        else
+            rlRun "echo KRB5KDC_ARGS=\\\"-r $krb5REALM1 -r $krb5REALM2 \\\" >/etc/sysconfig/krb5kdc"
+        fi
+        rlRun "rlServiceStart kadmin krb5kdc"
+        # Add krb5 principals for the 2nd realm
+        rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5RootPass root/master\""
+        rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5UserKrbPass $krb5User\""
+        rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -randkey host/$krb5HostName\""
+        rlRun "kadmin.local -r $krb5REALM1 -q \"ktadd host/$krb5HostName\""
+        rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\""
+        rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\""
+        # Add krb5 principals for the 2nd realm
+        rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5UserKrbPass $krb5User2\""
+        rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -randkey host/$krb5HostName\""
+        rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\""
+        rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\""
+        # Create test system user 
+        [ $krb5User != "root" ] && rlRun "useradd $krb5User"
+        rlRun "echo $krb5UserPass | passwd --stdin $krb5User"
+    rlPhaseEnd
+    fi
+    
+    rlPhaseStartTest "Daemon start and log file test"
+        # Make sure there is enough entropy and start recording of the logs
+        rlRun "rngd -r /dev/urandom"
+        if grep -q krb5kdc /var/log/krb5kdc.log; then
+            tail -n0 -f /var/log/krb5kdc.log &> krb5kdc.log.record &
+            KRB5KDC_LOG_PID=$!
+            echo "log_record_start: PID = $KRB5KDC_LOG_PID"
+            sleep 1
+        elif journalctl |grep -q krb5kdc; then
+            journalctl -f &> krb5kdc.log.record &
+            KRB5KDC_LOG_PID=$!
+            echo "log_record_start: PID = $KRB5KDC_LOG_PID"
+            sleep 1
+        else
+            rlFail "Could not find krb5kdc logs"
+            echo "journalctl:"
+            journalctl -n 100
+            ls -la /var/log/krb5kdc*
+            echo "/var/log/krb5kdc.log:"
+            tail -n 100 /var/log/krb5kdc.log
+        fi
+        if grep -q kadmind /var/log/kadmind.log; then
+            tail -n0 -f /var/log/kadmind.log &> kadmind.log.record &
+            KADMIND_LOG_PID=$!
+            echo "log_record_start: PID = $KADMIND_LOG_PID"
+            sleep 1
+        elif journalctl |grep -q kadmind; then
+            journalctl -f &> kadmind.log.record &
+            KADMIND_LOG_PID=$!
+            echo "log_record_start: PID = $KADMIND_LOG_PID"
+            sleep 1
+        else
+            rlFail "Could not find kadmind logs"
+            echo "journalctl:"
+            journalctl -n 100
+            ls -la /var/log/kadmind*
+            echo "/var/log/kadmind.log:"
+            tail -n 100 /var/log/kadmind.log
+        fi
+        # Restart daemon auto start
+        if rlIsRHEL 6; then
+            rlRun "service krb5kdc restart"
+            rlRun "service kadmin restart"
+            rlRun "service krb5kdc status"
+            rlRun "service kadmin status"
+        else
+            rlRun "systemctl restart krb5kdc.service"
+            rlRun "systemctl restart kadmin.service"
+            rlRun "systemctl --no-pager status krb5kdc.service"
+            rlRun "systemctl --no-pager status kadmin.service"
+        fi
+        rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
+        rlRun "kdestroy"
+        rlRun "kadmin -p root/master -w rrr -q ''"
+        rlAssertGrep "AS_REQ.*$krb5User@$krb5REALM1.*krbtgt/$krb5REALM1@$krb5REALM1" krb5kdc.log.record
+        cat krb5kdc.log.record
+        rlAssertGrep "Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/`hostname`@$krb5REALM1" kadmind.log.record
+        cat kadmind.log.record
+        # Stop log recording
+        kill $KADMIND_LOG_PID
+        kill $KRB5KDC_LOG_PID
+    rlPhaseEnd
+
+    rlPhaseStartTest "SSH test"
+        cat > sshtest.exp <<'_EOF'
+#!/usr/bin/expect -f
+set USER    [lindex $argv 0]
+set HOST    [lindex $argv 1]
+set timeout 10
+spawn ssh $USER@$HOST pwd
+expect {
+    -re ".*(yes/no).*" { send -- "yes\r"; exp_continue }
+    -re ".*password:.*" { exit 1 }
+    "/home/$USER" { exit 0 }
+    timeout { exit 2 }
+    eof { exit 3 }
+}
+exit 4
+_EOF
+        chmod 744 sshtest.exp
+        rlAssertExists sshtest.exp
+        rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
+        rlRun "./sshtest.exp $krb5User $krb5HostName"; echo
+        rlRun "klist &>klist.log"
+        cat klist.log
+        rlAssertGrep "host/`hostname`@$krb5REALM1" klist.log
+        rlRun "kdestroy"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Basic kadmin and kpasswd test"
+        rlRun "kadmin.local -q \"listprincs\" |grep -v Authenticating >lplocal"
+        rlRun "kadmin -p root/master -w $krb5RootPass -q \"listprincs\" |grep -v Authenticating >lpremote"
+        rlAssertNotDiffer lplocal lpremote || diff -u lplocal lpremote
+        diff lplocal lpremote
+        rlRun "kadmin -p root/master -w $krb5RootPass -q \"addprinc -pw $krb5User2 $krb5User2@$krb5REALM1\""
+        rlRun "kadmin -p root/master -w $krb5RootPass -q \"listprincs\" | grep \"$krb5User2@$krb5REALM1\""
+
+        rlRun "echo $krb5User2 | kinit $krb5User2"
+        rlRun "echo -e \"$krb5User2\nqwerty\nqwerty\" | kpasswd &>kpasswd.log"
+        cat kpasswd.log
+        rlAssertGrep "Password changed." kpasswd.log
+        rlRun "echo qwerty | kinit $krb5User2"
+        rlRun "kdestroy"
+        rlRun "kadmin -p root/master -w $krb5RootPass -q \"delprinc -force $krb5User2@$krb5REALM1\""
+    rlPhaseEnd
+
+    rlPhaseStartTest "Basic ksu test"
+        [[ -f /root/.k5login ]] && rlRun "mv /root/.k5login ."
+        rlRun "echo $krb5User@$krb5REALM1 > /root/.k5login"
+        rlRun "su - $krb5User -c \"echo $krb5UserKrbPass | kinit $krb5User\""
+        rlRun "su - $krb5User -c \"ksu -e /usr/bin/id\" &> ksu.log"
+        cat ksu.log
+        rlAssertGrep "^uid=0(root) gid=0(root)" ksu.log
+        rlRun "su - $krb5User -c kdestroy"
+        [[ -f .k5login ]] && rlRun "mv .k5login /root/.k5login"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Cross realm test"
+        rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
+        rlRun "kvno host/`hostname`@$krb5REALM2"
+        rlRun "klist &>klist.log"
+        cat klist.log
+        rlAssertGrep "krbtgt/$krb5REALM1@$krb5REALM1" klist.log
+        rlAssertGrep "krbtgt/$krb5REALM2@$krb5REALM1" klist.log
+        rlAssertGrep "host/`hostname`@$krb5REALM2" klist.log
+        rlRun "kdestroy"
+    rlPhaseEnd
+
+    # Test the entropy source (not relevant for RHEL6)
+    if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
+        rlPhaseStartTest "Enable faster getrandom-based entropy system"
+            echo START_DATE=$START_DATE
+            auditctl -l
+            rlRun "ausearch -i -k RAND -ts $START_DATE"
+            rlRun "ausearch -i -k RAND -ts $START_DATE |grep comm= |grep -v 'comm=rngd'" 1
+            rlRun "auditctl -D"
+        rlPhaseEnd
+    fi
+
+    # Run this part on "normal" mode; in inplace upgrade no cleanup is needed
+    if [[ -z $IN_PLACE_UPGRADE ]]; then
+    rlPhaseStartCleanup "KDC and kadmind cleanup"
+        rlRun "rm -rf /var/kerberos/krb5kdc/* /var/kerberos/krb5kdc/.k5* /etc/krb5* /etc/sysconfig/{kadmin,krb5kdc}"
+        rlFileRestore
+        rlRun "rlServiceRestore krb5kdc kadmin"
+        [ $krb5User != "root" ] && rlRun "userdel -r -f $krb5User"
+    rlPhaseEnd
+    fi
+    
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/tests.yml

@@ -0,0 +1,16 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    tests:
+    - inplace-upgrade-sanity-test
+    required_packages:
+    - expect            # Required for inplace-upgrade-sanity-test
+    - krb5-server       # Required for inplace-upgrade-sanity-test
+    - krb5-workstation  # Required for inplace-upgrade-sanity-test
+    - openssh-clients   # Required for inplace-upgrade-sanity-test
+    - openssh-server    # Required for inplace-upgrade-sanity-test
+    - rng-tools         # Required for inplace-upgrade-sanity-test