rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update tests/inplace-upgrade-sanity-test/runtest.sh

Browse Source
This commit is contained in:
Filip Dvorak 2021-03-29 15:21:43 +00:00
parent 1c03da79de
commit d67d35a3c6
1 changed files with 89 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
tests/inplace-upgrade-sanity-test/runtest.sh
View File

@ -36,15 +36,10 @@ PACKAGES="krb5-libs krb5-server krb5-workstation openssh"
TEST_ENTROPY_SOURCE=${TEST_ENTROPY_SOURCE:-no} TEST_ENTROPY_SOURCE=${TEST_ENTROPY_SOURCE:-no}
echo TEST_ENTROPY_SOURCE=$TEST_ENTROPY_SOURCE echo TEST_ENTROPY_SOURCE=$TEST_ENTROPY_SOURCE
hostnamectl set-hostname test.fedora.com krb5REALM1='TEST1.REDHAT.COM'
krb5REALM2='TEST2.REDHAT.COM'
host_ip=`hostname -I | awk '{print$1}'`
echo "$host_ip test.fedora.com" >> /etc/hosts
krb5REALM1='ZMRAZ.COM'
krb5REALM2='PKIS.NET'
krb5HostName=`hostname` krb5HostName=`hostname`
krb5DomainName='fedora.com' krb5DomainName=`hostname -d`
krb5User='alice' krb5User='alice'
krb5UserPass='alice' krb5UserPass='alice'
krb5UserKrbPass='aaa' krb5UserKrbPass='aaa'
@ -58,6 +53,8 @@ krb5confdir="/etc/krb5.conf.d"
krb5kdcconf="/var/kerberos/krb5kdc/kdc.conf" krb5kdcconf="/var/kerberos/krb5kdc/kdc.conf"
krb5kadmacl="/var/kerberos/krb5kdc/kadm5.acl" krb5kadmacl="/var/kerberos/krb5kdc/kadm5.acl"
rlJournalStart rlJournalStart
rlPhaseStartSetup rlPhaseStartSetup
for pkg in $PACKAGES; do for pkg in $PACKAGES; do
@ -65,6 +62,8 @@ rlJournalStart
done done
rlRun "TmpDir=\$(mktemp -d)" rlRun "TmpDir=\$(mktemp -d)"
rlRun "pushd $TmpDir" rlRun "pushd $TmpDir"
echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf
echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf
rlPhaseEnd rlPhaseEnd
# Run this part on OLD and in "normal" mode # Run this part on OLD and in "normal" mode
@ -73,9 +72,19 @@ rlJournalStart
# Stop and backup # Stop and backup
rlRun "rlServiceStop kadmin krb5kdc" rlRun "rlServiceStop kadmin krb5kdc"
rlRun "rm -f /var/kerberos/krb5kdc/principal* /var/kerberos/krb5kdc/.k5*" rlRun "rm -f /var/kerberos/krb5kdc/principal* /var/kerberos/krb5kdc/.k5*"
rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc} rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc} /etc/hosts
rlFileBackup --clean /root/.k5login
[ -e /etc/krb5.keytab ] && rlFileBackup /etc/krb5.keytab [ -e /etc/krb5.keytab ] && rlFileBackup /etc/krb5.keytab
[ -e $krb5confdir ] && rlFileBackup $krb5confdir [ -e $krb5confdir ] && rlFileBackup $krb5confdir
# Make sure IPv4 is used for ssh connection
if ! grep `hostname` /etc/hosts; then
DEF_DEV=`ip route |grep default |awk '{print $5}'`
echo DEF_DEV=$DEF_DEV
DEF_IP=`ip -o -4 addr show dev $DEF_DEV |awk '{print $4}' |grep -v '/32' |sed 's|/.*||'`
echo DEF_IP=$DEF_IP
rlRun "echo '$DEF_IP `hostname`' >>/etc/hosts"
grep `hostname` /etc/hosts
fi
# Basic setup of KDC and krb5.conf # Basic setup of KDC and krb5.conf
if rlIsRHEL 6; then if rlIsRHEL 6; then
rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf" rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"
@ -99,28 +108,59 @@ rlJournalStart
dict_file = /usr/share/dict/words dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
} }
_EOF _EOF
rlIsRHEL 6 || rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf"
if rlIsRHEL '7'; then
rlLog "Modify supported_enctypes for RHEL-7."
rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf"
# Remove 3DES and DES cipher suite from kdc.conf - Fedora 31
# Fedora 31 - krb5 will be removing support for DES, 3DES, and crc-32 entirely
# they will not be allowed in session keys or long-term keys. (BZ#1670398)
# https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization
elif rlIsFedora '>=31';then
rlLog "Modify supported_enctypes for Fedora >=31. Remove *DES ciphers."
rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"
elif rlIsRHEL '8' && [ `rpm -q --qf '%{VERSION}' krb5-server | cut -d"." -f2` -lt 18 ];then
rlLog "Modify supported_enctypes for RHEL-8."
rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"
else
#RHEL-8 Bug 1802334 - [Rebase] krb5: rebase to 1.18:
#- Removal of *DES encryption types
#https://bugzilla.redhat.com/show_bug.cgi?id=1802334
rlLog "Modify supported_enctypes for RHEL-8 with krb-1.18. Remove *DES ciphers."
rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"
fi
rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM2 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf" rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM2 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf"
cat >> $krb5conf << _EOF cat >> $krb5conf << _EOF
[capaths] [capaths]
$krb5REALM1 = { $krb5REALM1 = {
$krb5REALM2 = . $krb5REALM2 = .
} }
_EOF _EOF
# Test the entropy source (not relevant for RHEL6) # BZ#1394908: Test the entropy source (not relevant for RHEL6)
if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
rlLog "The source of entropy will be tested as well" rlLog "BZ#1394908: The source of entropy will be tested as well"
# Check number of audit rules
number_rules=$(auditctl -l | grep -v "No rules" | wc -l)
if [[ ${number_rules} -ne 0 ]];then
truncate -s0 /var/log/audit/audit.log
rlRun "auditctl -D" 0 "Delete previous audit rules"
fi
START_DATE=`date +%H:%M:%S` START_DATE=`date +%H:%M:%S`
echo START_DATE=$START_DATE echo START_DATE=$START_DATE
sleep 1 sleep 1
rlRun "auditctl -w /dev/random -p rwxa -k RAND" rlRun "auditctl -w /dev/random -p rwxa -k RAND"
auditctl -l auditctl -l
sleep 1 sleep 5
rlRun "ausearch -i -k RAND -ts $START_DATE" rlRun "ausearch -i -k RAND -ts $START_DATE"
fi fi
echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf
echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf
# Create the realm databases # Create the realm databases
rlRun "rngd -r /dev/urandom" rlRun "rngd -r /dev/urandom"
rlRun "kdb5_util create -s -r $krb5REALM1 -P $krb5KDCPass" rlRun "kdb5_util create -s -r $krb5REALM1 -P $krb5KDCPass"
@ -145,12 +185,12 @@ _EOF
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -randkey host/$krb5HostName\"" rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -randkey host/$krb5HostName\""
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\"" rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\""
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\"" rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\""
# Create test system user # Create test system user
[ $krb5User != "root" ] && rlRun "useradd $krb5User" [ $krb5User != "root" ] && rlRun "useradd $krb5User"
rlRun "echo $krb5UserPass | passwd --stdin $krb5User" rlRun "echo $krb5UserPass | passwd --stdin $krb5User"
rlPhaseEnd rlPhaseEnd
fi fi
rlPhaseStartTest "Daemon start and log file test" rlPhaseStartTest "Daemon start and log file test"
# Make sure there is enough entropy and start recording of the logs # Make sure there is enough entropy and start recording of the logs
rlRun "rngd -r /dev/urandom" rlRun "rngd -r /dev/urandom"
@ -190,6 +230,10 @@ _EOF
echo "/var/log/kadmind.log:" echo "/var/log/kadmind.log:"
tail -n 100 /var/log/kadmind.log tail -n 100 /var/log/kadmind.log
fi fi
#add 'list' privilege for root/master
sed -i -e '$a*/master@EXAMPLE.COM *' /var/kerberos/krb5kdc/kadm5.acl
# Restart daemon auto start # Restart daemon auto start
if rlIsRHEL 6; then if rlIsRHEL 6; then
rlRun "service krb5kdc restart" rlRun "service krb5kdc restart"
@ -204,11 +248,21 @@ _EOF
fi fi
rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist" rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
rlRun "kdestroy" rlRun "kdestroy"
rlRun "kadmin -p root/master -w rrr -q ''" rlRun "kadmin -p root/master -w rrr -q 'getprincs'"
rlAssertGrep "AS_REQ.*$krb5User@$krb5REALM1.*krbtgt/$krb5REALM1@$krb5REALM1" krb5kdc.log.record rlAssertGrep "AS_REQ.*$krb5User@$krb5REALM1.*krbtgt/$krb5REALM1@$krb5REALM1" krb5kdc.log.record
cat krb5kdc.log.record
rlAssertGrep "Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/`hostname`@$krb5REALM1" kadmind.log.record #The principal related to kadmin are not created with hostname (kadmin/hostname@REALM) during creating krb5 DB
cat kadmind.log.record #RHEL9 constains only kadmin/admin@REALM - this change was intentional - Don't create hostbased principals in new KDBs
#https://krbdev.mit.edu/rt/Ticket/Display.html?id=8935
if rlIsRHEL 9 || rlIsFedora '>=33';then
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/admin@$krb5REALM1"
else
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/.*`hostname`@$krb5REALM1"
fi
rlAssertGrep "${kadmin_princ}" kadmind.log.record
#rlAssertGrep "Request: kadm5_init.*root\/master@$krb5REALM1.*service=kadmin\/(admin|.*`hostname`)@$krb5REALM1" kadmind.log.record -E
echo "***krb5kdc.log.record***" && cat krb5kdc.log.record
echo "***kadmind.log.record***" && cat kadmind.log.record
# Stop log recording # Stop log recording
kill $KADMIND_LOG_PID kill $KADMIND_LOG_PID
kill $KRB5KDC_LOG_PID kill $KRB5KDC_LOG_PID
@ -238,6 +292,13 @@ _EOF
cat klist.log cat klist.log
rlAssertGrep "host/`hostname`@$krb5REALM1" klist.log rlAssertGrep "host/`hostname`@$krb5REALM1" klist.log
rlRun "kdestroy" rlRun "kdestroy"
#BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context
#The problem is that this file had security context: system_u:object_r:kadmind_tmp_t:s0.
#This is a problem when the ssh via krb5-GSSAPI is used because sshd service cannot write into this file.
if rlIsRHEL '>=8.3' || rlIsFedora '>=32'; then
rlLog "BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context"
rlRun "sesearch -s sshd_t -t kadmind_tmp_t -c file -p write --allow | grep ^allow"
fi
rlPhaseEnd rlPhaseEnd
rlPhaseStartTest "Basic kadmin and kpasswd test" rlPhaseStartTest "Basic kadmin and kpasswd test"
@ -279,13 +340,14 @@ _EOF
rlRun "kdestroy" rlRun "kdestroy"
rlPhaseEnd rlPhaseEnd
# Test the entropy source (not relevant for RHEL6) # BZ#1394908: Test the entropy source (not relevant for RHEL6)
if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
rlPhaseStartTest "Enable faster getrandom-based entropy system" rlPhaseStartTest "BZ#1394908: Enable faster getrandom-based entropy system"
echo START_DATE=$START_DATE echo START_DATE=$START_DATE
auditctl -l auditctl -l
sleep 5
rlRun "ausearch -i -k RAND -ts $START_DATE" rlRun "ausearch -i -k RAND -ts $START_DATE"
rlRun "ausearch -i -k RAND -ts $START_DATE |grep comm= |grep -v 'comm=rngd'" 1 rlRun "ausearch -i -k RAND -ts $START_DATE |grep comm= | grep -v comm=auditctl |grep -v 'comm=rngd'" 1
rlRun "auditctl -D" rlRun "auditctl -D"
rlPhaseEnd rlPhaseEnd
fi fi
@ -299,10 +361,11 @@ _EOF
[ $krb5User != "root" ] && rlRun "userdel -r -f $krb5User" [ $krb5User != "root" ] && rlRun "userdel -r -f $krb5User"
rlPhaseEnd rlPhaseEnd
fi fi
rlPhaseStartCleanup rlPhaseStartCleanup
rlRun "kdestroy -A"
rlRun "popd" rlRun "popd"
rlRun "rm -r $TmpDir" rlRun "rm -r $TmpDir"
rlPhaseEnd rlPhaseEnd
rlJournalPrintText rlJournalPrintText
rlJournalEnd rlJournalEnd