PR#6: Update tests/inplace-upgrade-sanity-test/runtest.sh - rpms/krb5

rpms / krb5

#6 Update tests/inplace-upgrade-sanity-test/runtest.sh

Merged 3 years ago by rharwood. Opened 3 years ago by fdvorak.

rpms/ fdvorak/krb5 f34 into rawhide

Update tests/inplace-upgrade-sanity-test/Makefile

Filip Dvorak • 3 years ago

002bf40

Update tests/inplace-upgrade-sanity-test/runtest.sh

Filip Dvorak • 3 years ago

d67d35a

tests/inplace-upgrade-sanity-test/Makefile

file modified

		`@@ -55,6 +55,7 @@`
		`@echo "TestTime: 20m" >> $(METADATA)`
		`@echo "RunFor: krb5" >> $(METADATA)`
		`@echo "Requires: expect krb5-server krb5-workstation openssh-clients openssh-server rng-tools" >> $(METADATA)`
		`+ @echo "Requires: setools-console" >> $(METADATA)`
		`@echo "Priority: Normal" >> $(METADATA)`
		`@echo "License: GPLv2" >> $(METADATA)`
		`@echo "Confidential: no" >> $(METADATA)`

tests/inplace-upgrade-sanity-test/runtest.sh

file modified

+89 -26

		`@@ -36,15 +36,10 @@`
		`TEST_ENTROPY_SOURCE=${TEST_ENTROPY_SOURCE:-no}`
		`echo TEST_ENTROPY_SOURCE=$TEST_ENTROPY_SOURCE`

		`- hostnamectl set-hostname test.fedora.com`
		`-`
		- host_ip=`hostname -I \| awk '{print$1}'`
		`- echo "$host_ip test.fedora.com" >> /etc/hosts`
		`-`
		`- krb5REALM1='ZMRAZ.COM'`
		`- krb5REALM2='PKIS.NET'`
		`+ krb5REALM1='TEST1.REDHAT.COM'`
		`+ krb5REALM2='TEST2.REDHAT.COM'`
		krb5HostName=`hostname`
		`- krb5DomainName='fedora.com'`
		+ krb5DomainName=`hostname -d`
		`krb5User='alice'`
		`krb5UserPass='alice'`
		`krb5UserKrbPass='aaa'`
		`@@ -58,6 +53,8 @@`
		`krb5kdcconf="/var/kerberos/krb5kdc/kdc.conf"`
		`krb5kadmacl="/var/kerberos/krb5kdc/kadm5.acl"`

		`+`
		`+`
		`rlJournalStart`
		`rlPhaseStartSetup`
		`for pkg in $PACKAGES; do`
		`@@ -65,6 +62,8 @@`
		`done`
		`rlRun "TmpDir=\$(mktemp -d)"`
		`rlRun "pushd $TmpDir"`
		`+ echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf`
		`+ echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf`
		`rlPhaseEnd`

		`# Run this part on OLD and in "normal" mode`
		`@@ -73,9 +72,19 @@`
		`# Stop and backup`
		`rlRun "rlServiceStop kadmin krb5kdc"`
		`rlRun "rm -f /var/kerberos/krb5kdc/principal* /var/kerberos/krb5kdc/.k5*"`
		`- rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc}`
		`+ rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc} /etc/hosts`
		`+ rlFileBackup --clean /root/.k5login`
		`[ -e /etc/krb5.keytab ] && rlFileBackup /etc/krb5.keytab`
		`[ -e $krb5confdir ] && rlFileBackup $krb5confdir`
		`+ # Make sure IPv4 is used for ssh connection`
		+ if ! grep `hostname` /etc/hosts; then
		+ DEF_DEV=`ip route \|grep default \|awk '{print $5}'`
		`+ echo DEF_DEV=$DEF_DEV`
		+ DEF_IP=`ip -o -4 addr show dev $DEF_DEV \|awk '{print $4}' \|grep -v '/32' \|sed 's\|/.*\|\|'`
		`+ echo DEF_IP=$DEF_IP`
		+ rlRun "echo '$DEF_IP `hostname`' >>/etc/hosts"
		+ grep `hostname` /etc/hosts
		`+ fi`
		`# Basic setup of KDC and krb5.conf`
		`if rlIsRHEL 6; then`
		`rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"`
		`@@ -99,28 +108,59 @@`
		`dict_file = /usr/share/dict/words`
		`admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab`
		`supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal`
		`- }`
		`+ }`
		`_EOF`
		`- rlIsRHEL 6 \|\| rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf"`
		`+`
		`+`
		`+ if rlIsRHEL '7'; then`
		`+ rlLog "Modify supported_enctypes for RHEL-7."`
		`+ rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf"`
		`+ # Remove 3DES and DES cipher suite from kdc.conf - Fedora 31`
		`+ # Fedora 31 - krb5 will be removing support for DES, 3DES, and crc-32 entirely`
		`+ # they will not be allowed in session keys or long-term keys. (BZ#1670398)`
		`+ # https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization`
		`+ elif rlIsFedora '>=31';then`
		`+ rlLog "Modify supported_enctypes for Fedora >=31. Remove *DES ciphers."`
		`+ rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"`
		+ elif rlIsRHEL '8' && [ `rpm -q --qf '%{VERSION}' krb5-server \| cut -d"." -f2` -lt 18 ];then
		`+ rlLog "Modify supported_enctypes for RHEL-8."`
		`+ rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"`
		`+ else`
		`+ #RHEL-8 Bug 1802334 - [Rebase] krb5: rebase to 1.18:`
		`+ #- Removal of *DES encryption types`
		`+ #https://bugzilla.redhat.com/show_bug.cgi?id=1802334`
		`+ rlLog "Modify supported_enctypes for RHEL-8 with krb-1.18. Remove *DES ciphers."`
		`+ rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"`
		`+ fi`
		`rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM2 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf"`
		`- cat >> $krb5conf << _EOF`
		`+ cat >> $krb5conf << _EOF`

		`[capaths]`
		`$krb5REALM1 = {`
		`$krb5REALM2 = .`
		`}`
		`_EOF`
		`- # Test the entropy source (not relevant for RHEL6)`
		`+ # BZ#1394908: Test the entropy source (not relevant for RHEL6)`
		`if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then`
		`- rlLog "The source of entropy will be tested as well"`
		`+ rlLog "BZ#1394908: The source of entropy will be tested as well"`
		`+ # Check number of audit rules`
		`+ number_rules=$(auditctl -l \| grep -v "No rules" \| wc -l)`
		`+ if [[ ${number_rules} -ne 0 ]];then`
		`+ truncate -s0 /var/log/audit/audit.log`
		`+ rlRun "auditctl -D" 0 "Delete previous audit rules"`
		`+ fi`
		START_DATE=`date +%H:%M:%S`
		`echo START_DATE=$START_DATE`
		`sleep 1`
		`rlRun "auditctl -w /dev/random -p rwxa -k RAND"`
		`auditctl -l`
		`- sleep 1`
		`+ sleep 5`
		`rlRun "ausearch -i -k RAND -ts $START_DATE"`
		`fi`
		`+`
		`+ echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf`
		`+ echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf`
		`+`
		`# Create the realm databases`
		`rlRun "rngd -r /dev/urandom"`
		`rlRun "kdb5_util create -s -r $krb5REALM1 -P $krb5KDCPass"`
		`@@ -145,12 +185,12 @@`
		`rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -randkey host/$krb5HostName\""`
		`rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\""`
		`rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\""`
		`- # Create test system user`
		`+ # Create test system user`
		`[ $krb5User != "root" ] && rlRun "useradd $krb5User"`
		`rlRun "echo $krb5UserPass \| passwd --stdin $krb5User"`
		`rlPhaseEnd`
		`fi`
		`-`
		`+`
		`rlPhaseStartTest "Daemon start and log file test"`
		`# Make sure there is enough entropy and start recording of the logs`
		`rlRun "rngd -r /dev/urandom"`
		`@@ -190,6 +230,10 @@`
		`echo "/var/log/kadmind.log:"`
		`tail -n 100 /var/log/kadmind.log`
		`fi`
		`+`
		`+ #add 'list' privilege for root/master`
		`+ sed -i -e '$a/master@EXAMPLE.COM ' /var/kerberos/krb5kdc/kadm5.acl`
		`+`
		`# Restart daemon auto start`
		`if rlIsRHEL 6; then`
		`rlRun "service krb5kdc restart"`
		`@@ -204,11 +248,21 @@`
		`fi`
		`rlRun "echo $krb5UserKrbPass \|kinit $krb5User && klist"`
		`rlRun "kdestroy"`
		`- rlRun "kadmin -p root/master -w rrr -q ''"`
		`+ rlRun "kadmin -p root/master -w rrr -q 'getprincs'"`
		`rlAssertGrep "AS_REQ.$krb5User@$krb5REALM1.krbtgt/$krb5REALM1@$krb5REALM1" krb5kdc.log.record`
		`- cat krb5kdc.log.record`
		- rlAssertGrep "Request: kadm5_init.root/master@$krb5REALM1.service=kadmin/`hostname`@$krb5REALM1" kadmind.log.record
		`- cat kadmind.log.record`
		`+`
		`+ #The principal related to kadmin are not created with hostname (kadmin/hostname@REALM) during creating krb5 DB`
		`+ #RHEL9 constains only kadmin/admin@REALM - this change was intentional - Don't create hostbased principals in new KDBs`
		`+ #https://krbdev.mit.edu/rt/Ticket/Display.html?id=8935`
		`+ if rlIsRHEL 9 \|\| rlIsFedora '>=33';then`
		`+ kadmin_princ="Request: kadm5_init.root/master@$krb5REALM1.service=kadmin/admin@$krb5REALM1"`
		`+ else`
		+ kadmin_princ="Request: kadm5_init.root/master@$krb5REALM1.service=kadmin/.*`hostname`@$krb5REALM1"
		`+ fi`
		`+ rlAssertGrep "${kadmin_princ}" kadmind.log.record`
		+ #rlAssertGrep "Request: kadm5_init.root\/master@$krb5REALM1.service=kadmin\/(admin\|.*`hostname`)@$krb5REALM1" kadmind.log.record -E
		`+ echo "*krb5kdc.log.record*" && cat krb5kdc.log.record`
		`+ echo "*kadmind.log.record*" && cat kadmind.log.record`
		`# Stop log recording`
		`kill $KADMIND_LOG_PID`
		`kill $KRB5KDC_LOG_PID`
		`@@ -238,6 +292,13 @@`
		`cat klist.log`
		rlAssertGrep "host/`hostname`@$krb5REALM1" klist.log
		`rlRun "kdestroy"`
		`+ #BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context`
		`+ #The problem is that this file had security context: system_u:object_r:kadmind_tmp_t:s0.`
		`+ #This is a problem when the ssh via krb5-GSSAPI is used because sshd service cannot write into this file.`
		`+ if rlIsRHEL '>=8.3' \|\| rlIsFedora '>=32'; then`
		`+ rlLog "BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context"`
		`+ rlRun "sesearch -s sshd_t -t kadmind_tmp_t -c file -p write --allow \| grep ^allow"`
		`+ fi`
		`rlPhaseEnd`

		`rlPhaseStartTest "Basic kadmin and kpasswd test"`
		`@@ -279,13 +340,14 @@`
		`rlRun "kdestroy"`
		`rlPhaseEnd`

		`- # Test the entropy source (not relevant for RHEL6)`
		`+ # BZ#1394908: Test the entropy source (not relevant for RHEL6)`
		`if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then`
		`- rlPhaseStartTest "Enable faster getrandom-based entropy system"`
		`+ rlPhaseStartTest "BZ#1394908: Enable faster getrandom-based entropy system"`
		`echo START_DATE=$START_DATE`
		`auditctl -l`
		`+ sleep 5`
		`rlRun "ausearch -i -k RAND -ts $START_DATE"`
		`- rlRun "ausearch -i -k RAND -ts $START_DATE \|grep comm= \|grep -v 'comm=rngd'" 1`
		`+ rlRun "ausearch -i -k RAND -ts $START_DATE \|grep comm= \| grep -v comm=auditctl \|grep -v 'comm=rngd'" 1`
		`rlRun "auditctl -D"`
		`rlPhaseEnd`
		`fi`
		`@@ -299,10 +361,11 @@`
		`[ $krb5User != "root" ] && rlRun "userdel -r -f $krb5User"`
		`rlPhaseEnd`
		`fi`
		`-`
		`+`
		`rlPhaseStartCleanup`
		`+ rlRun "kdestroy -A"`
		`rlRun "popd"`
		`rlRun "rm -r $TmpDir"`
		`rlPhaseEnd`
		`rlJournalPrintText`
		`- rlJournalEnd`
		`+ rlJournalEnd`
		`\ No newline at end of file`