WIP: Enable AD trust tests

.gitignore

@@ -11,5 +11,9 @@ importer_result.json
 /.tox/
 /.venv/
 
+# ansible-freeipa test environments
+/**/ansible-freeipa-scenario/
+
+# test output files
 tests/logs/
 TEST*.xml

infra/azure/azure-pipelines.yml

@@ -3,7 +3,7 @@ trigger:
 - master
 
 pool:
-  vmImage: 'ubuntu-20.04'
+  vmImage: 'ubuntu-24.04'
 
 variables:
   ansible_version: "-core >=2.16,<2.17"

infra/azure/pr-pipeline.yml

@@ -3,7 +3,7 @@ trigger:
 - master
 
 pool:
-  vmImage: 'ubuntu-20.04'
+  vmImage: 'ubuntu-24.04'
 
 variables:
   distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"

infra/azure/scripts/set_test_modules

@@ -50,8 +50,8 @@ then
     [ ${#tests[@]} -gt 0 ] && enabled_tests=$(IFS=, ; echo "${tests[*]}")
     [ -z "${enabled_tests}" ] && enabled_tests="None"
 
-    [ -n "${enabled_tests}" ] && IPA_ENABLED_TESTS="${enabled_tests},${IPA_ENABLED_TESTS}"
-    [ -n "${enabled_modules}" ] && IPA_ENABLED_MODULES="${enabled_modules},${IPA_ENABLED_MODULES}"
+    [ -n "${enabled_tests}" ] && IPA_ENABLED_TESTS="${enabled_tests},${IPA_ENABLED_TESTS:-}"
+    [ -n "${enabled_modules}" ] && IPA_ENABLED_MODULES="${enabled_modules},${IPA_ENABLED_MODULES:-}"
 
     rm -f "${files_list}"
 fi
@@ -61,7 +61,7 @@ fi
 export IPA_ENABLED_MODULES
 export IPA_ENABLED_TESTS
 
-echo "IPA_ENABLED_MODULES = [${IPA_ENABLED_MODULES}]"
-echo "IPA_ENABLED_TESTS = [${IPA_ENABLED_TESTS}]"
+echo "IPA_ENABLED_MODULES = [${IPA_ENABLED_MODULES:-}]"
+echo "IPA_ENABLED_TESTS = [${IPA_ENABLED_TESTS:-}]"
 
 popd >/dev/null 2>&1 || die "Failed to change back to original directory."

infra/azure/templates/prepare_environment.yaml

@@ -19,12 +19,33 @@ steps:
 
   - script: |
       pip install "ansible${{ parameters.ansible_version }}" -r requirements-tests.txt
+      pip install podman-compose
+      pip install git+https://github.com/rjeffman/ipalab-config@main
     retryCountOnTaskFailure: 5
     displayName: Install test dependencies
 
   - script: ansible-galaxy collection install -r requirements-podman.yml
     retryCountOnTaskFailure: 5
     displayName: Install Ansible collections
 
-  - script: infra/image/start.sh ${{ parameters.distro }}-server
-    displayName: Setup target container for ${{ parameters.distro }}
+  # Deployment of IPA servers/clients is done through the collection
+  - script: |
+      git fetch --unshallow
+      utils/build-galaxy-release.sh -i
+    retryCountOnTaskFailure: 5
+    displayName: Build Galaxy release - Temp
+
+  - script: cat infra/scenarios/ipa-ad-trust.yml
+    displayName: Show configuration - Debug
+
+  - script: |
+      infra/scenarios/start-scenario -D infra/scenarios/ipa-ad-trust.yml
+      # workaround for 'sudo'
+      podman exec addc chmod u+r /etc/shadow
+      podman exec server chmod u+r /etc/shadow
+      podman exec cli01 chmod u+r /etc/shadow
+      # Deploy nodes
+      ansible-playbook -i ansible-freeipa-scenario/inventory.yml ansible-freeipa-scenario/playbooks/deploy_*.yml ||:
+      ansible-playbook -i ansible-freeipa-scenario/inventory.yml ansible-freeipa-scenario/playbooks/install-cluster.yml || exit 1
+      ansible-playbook -i ansible-freeipa-scenario/inventory.yml ansible-freeipa-scenario/playbooks/config_*.yml ||:
+    displayName: Prepare testing scenario

infra/azure/templates/run_tests.yml

@@ -42,6 +42,7 @@ jobs:
       ansible_version: ${{ parameters.ansible_version }}
       python_version: ${{ parameters.python_version }}
 
+  # This will set environmnet variable "TOPDIR" on all script tasks
   - bash: echo "##vso[task.setvariable variable=TOPDIR]${PWD}"
     displayName: Set repo rootdir
 
@@ -53,46 +54,18 @@ jobs:
        SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
 
   - script: |
-      git fetch --unshallow
-      utils/build-galaxy-release.sh -i
-    retryCountOnTaskFailure: 5
-    displayName: Build Galaxy release
-    condition: ${{ parameters.test_galaxy }}
-
-  - script: |
-      echo "PWD: ${PWD}"
-      echo "TOPDIR: ${TOPDIR}"
-      echo "ROLES: ${ANSIBLE_ROLES_PATH}"
-      echo "LIBRARY: ${ANSIBLE_LIBRARY}"
-      echo "MODULE_UTILS: ${ANSIBLE_MODULE_UTILS}"
-      . "${TOPDIR}/infra/azure/scripts/set_test_modules"
-      [ "${{ parameters.test_galaxy }}" == "True"  ] && cd ~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa
-      pytest \
-          -m "${{ parameters.test_type }}" \
-          --verbose \
-          --color=yes \
-          --splits=${{ parameters.number_of_groups }} \
-          --group=${{ parameters.group_number }} \
-          --randomly-seed=$(date "+%Y%m%d") \
-          --suppress-no-test-exit-code \
-          --junit-xml=TEST-results-pr-check.xml
+      # Run tests
+      infra/scenarios/run_test_scenario.sh -k -vvv
     displayName: Run playbook tests
     env:
       SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
-      ${{ if not(parameters.test_galaxy)  }}:
+      ${{ if not(parameters.test_galaxy) }}:
         ANSIBLE_ROLES_PATH: "${PWD}/roles"
         ANSIBLE_LIBRARY: "${PWD}/plugins"
         ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
-      IPA_SERVER_HOST: ansible-freeipa-tests
-      RUN_TESTS_IN_DOCKER: podman
+      ${{ if parameters.test_galaxy }}:
+        ANSIBLE_COLLECTIONS_PATH: "${HOME}/.ansible/collections/ansible_collections"
       IPA_DISABLED_MODULES: ${{ variables.ipa_disabled_modules }}
       IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
       IPA_ENABLED_MODULES: ${{ variables.ipa_enabled_modules }}
       IPA_ENABLED_TESTS: ${{ variables.ipa_enabled_tests }}
-      IPA_VERBOSITY: "-vvv"
-
-  - task: PublishTestResults@2
-    inputs:
-      mergeTestResults: true
-      testRunTitle: PlaybookTests-Build${{ parameters.build_number }}
-    condition: succeededOrFailed()

infra/scenarios/README.md

@@ -0,0 +1,60 @@
+ansible-freeipa testing scenarios
+=================================
+
+The ansible-freeipa testing scenarios are a collection of scripts and configuration files to aid on the creation of environments composed of single or multiple IPA deployments, each one with one or more hosts, and external hosts like name servers or Samba Active Directory Domain Controllers.
+
+The environment created is based on rootless containers (what itself may impose some limits and restrictions on testing) that are part of a `pod`. A custom bridge network is used for the `pod`.
+
+
+Dependencies
+------------
+
+* ipalab-config version 0.10.3 or later
+* podman-compose
+* podman
+
+All dependencies can be installed in a Python virtual environment.
+
+
+Scenarios
+---------
+
+The following test scenarios are currently available:
+
+**ipa-ad-trust.yml**
+
+A scenario with one server, one client and one node not part of the IPA deployment running Samba AD DC. This scenario can be used to run AD related tests.
+
+
+Restrictions
+------------
+
+When creating new scenarios, these rules apply:
+
+* All scenarios `lab_name` must be `ansible-freeipa-scenario`
+* All playbooks to be executed when starting a scenario must named starting with `config_`
+* There's no guarantee on the order the configuration playbooks will be executed
+* Non-IPA nodes are deployed before the IPA clusters
+
+
+Usage Example
+-------------
+
+In this example a scenario with a server, a client and an AD Domain Controller (Samba) is created:
+
+```
+$ infra/scenarios/start-scenario infra/scenarios/ipa-ad-trust.yml
+```
+
+After the scenario is used, it can be shutdown with:
+
+```
+$ infra/scenarios/stop-scenario
+```
+
+To choose the distribution used for the IPA cluster, use the `-d` option:
+
+```
+$ infra/scenarios/start-scenario -d c9s infra/scenarios/ipa-ad-trust.yml
+```
+

infra/scenarios/ipa-ad-trust.yml

@@ -0,0 +1,63 @@
+# IPA trust to Samba AD DC.
+#
+# Steps to set trust on 'server':
+#   # kinit admin <<< SomeADMINpassword
+#   # ipa dnsforwardzone-add ad.ipa.test. --forwarder=192.168.13.250
+#   # ipa trust-add ad.ipa.test --type ad --range-type ipa-ad-trust --two-way true --admin=Administrator --password <<< Secret123
+#
+# Create samba user on 'addc':
+#   # samba-tool user create jdoe --given-name John --surname Doe
+#
+# Checking user on IPA server:
+#
+#  # getent passwd [email protected]
+#  # kinit [email protected]
+#
+---
+lab_name: ansible-freeipa-scenario
+subnet: "192.168.13.0/24"
+extra_data:
+  - playbooks/config_trust_users.yml
+external:
+  hosts:
+  - name: addc
+    hostname: dc.ad.ipa.test
+    role: addc
+    ip_address: 192.168.13.250
+    security_opt:
+      - no-new-privileges=false
+    options:
+      forwarder: 192.168.13.100
+ipa_deployments:
+  - name: ipa
+    domain: linux.ipa.test
+    admin_password: SomeADMINpassword
+    dm_password: SomeDMpassword
+    vars:
+      # Trust variables are needed on both server and client
+      # to run test for both supported contexts
+      # trust test vars
+      winserver_domain: ad.ipa.test
+      winserver_admin_password: Secret123
+      winserver_ip: 192.168.13.250
+      # external users vars
+      test_ad_user: 'jdoe@DC'
+      test_alt_user: '[email protected]'
+    cluster:
+      servers:
+        - name: server
+          capabilities: ["DNS", "AD", "KRA"]
+          ip_address: 192.168.13.100
+          security_opt:
+            - no-new-privileges=false
+          vars:
+            ipaserver_netbios_name: IPA
+            ipaserver_idstart: 60000
+            ipaserver_idmax: 62000
+            ipaserver_rid_base: 63000
+            ipaserver_secondary_rid_base: 70000
+      clients:
+        - name: cli01
+          dns: server
+          security_opt:
+            - no-new-privileges=false

infra/scenarios/playbooks/config_trust_users.yml

@@ -0,0 +1,17 @@
+---
+- name: Add some users to Samba AD DC
+  hosts: addc
+  become: false
+  gather_facts: false
+
+  tasks:
+  - name: Add users to AD DC
+    ansible.builtin.shell: samba-tool user create {{ item.login }} --given-name {{ item.first }} --surname {{ item.last }}
+    args:
+      stdin: |
+        Secret123
+        Secret123
+    loop:
+      - {login: "jdoe", first: "John", last: "Doe"}
+      - {login: "lanne", first: "Lisa", last: "Anne"}
+      - {login: "zica", first: "Zoe", last: "Ica"}

infra/scenarios/requirements.txt

@@ -0,0 +1,2 @@
+ipalab-config>=0.10.3
+podman-compose>=1.2.0