(SIMP-6175) Fix AD Tests (#77)

SIMP-6175 #close

CHANGELOG

@@ -1,3 +1,6 @@
+* Thu Mar 14 2019 Trevor Vaughan <[email protected]> - 6.1.6-0
+- Fix the Active Directory tests
+
 * Mon Mar 04 2019 Liz Nemsick <[email protected]> - 6.1.6-0
 - Expanded the upper limit of the stdlib Puppet module version
 - Updated URLs in the README.md

spec/acceptance/suites/ad/00_setup_ad_spec.rb

@@ -10,6 +10,9 @@
   domain_pass = '@dm1n=P@ssw0r'
 
   ad_servers.each do |server|
+    domain = fact_on(server, 'domain').strip
+    ldap_dc = domain.split('.').map{|x| "DC=#{x}"}.join(',')
+
     it 'should install the AD feature' do
       # https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS
       exec_ps_script_on(server, 'Install-WindowsFeature AD-Domain-Services -IncludeManagementTools')
@@ -19,7 +22,7 @@
         "$Pass = '#{domain_pass}' | ConvertTo-SecureString -AsPlainText -Force ;",
         'Install-ADDSForest',
         '-Force',
-        '-DomainName "test.case"',
+        %(-DomainName "#{domain}"),
         '-InstallDns',
         '-SafeModeAdministratorPassword $Pass',
         '-LogPath C:\Windows\Logs'
@@ -60,7 +63,7 @@
 
     it 'should set the Administrator password' do
       cmd = [
-        '([adsi]\\"WinNT://TEST/Administrator\\").SetPassword(\\"',
+        '([adsi]\\"WinNT://' + domain.split('.').first.upcase + '/Administrator\\").SetPassword(\\"',
         domain_pass,
         '\\")'
       ].join
@@ -77,13 +80,15 @@
       create_remote_file(server, 'C:\users.csv', users_csv)
 
       sleep 90
-      exec_ps_script_on(server, File.read('spec/acceptance/suites/ad/files/populate_ad.ps1'))
+      @ldap_dc = ldap_dc
+      @domain = domain
+      exec_ps_script_on(server, ERB.new(File.read(File.join(File.dirname(__FILE__), 'files/populate_ad.ps1'))).result(binding))
       sleep 40
     end
 
     it 'should have users from the CSV and vagrant' do
       # https://social.technet.microsoft.com/Forums/ie/en-US/67aab9d3-1ced-4d33-8252-66a6f88713b0/exporting-ad-user-list-to-a-text-or-excel-document?forum=winserverDS
-      result = exec_ps_script_on(server, 'Get-ADUser -Filter * -SearchBase "DC=test,DC=case" | select Name')
+      result = exec_ps_script_on(server, 'Get-ADUser -Filter * -SearchBase "' + ldap_dc + '" | select Name')
       expect(result.stdout).to match(/vagrant/)
       expect(result.stdout).to match(/Mike Hammer/)
       expect(result.stdout).to match(/John Franklin/)

spec/acceptance/suites/ad/50_ad_spec.rb

@@ -8,28 +8,29 @@
   ad          = hosts_with_role(hosts,'ad').first
   domain_pass = '@dm1n=P@ssw0r'
   domain      = fact_on(clients.first, 'domain')
+  ldap_dc     = domain.split('.').map{|x| "DC=#{x}"}.join(',')
 
   let(:ad_ip) {
     require 'json'
     f = JSON.load(on(ad, 'puppet facts').stdout)
     f['values']['networking']['interfaces']['Ethernet 2']['ip']
   }
   let(:hiera) {{
-    'simp_options::sssd'          => true, # had to add because of the pam changes
-    'simp_options::pki'           => true,
-    'simp_options::pki::source'   => '/etc/pki/simp-testing/pki',
-    'simp_options::dns::servers'  => [ad_ip],
-    'simp_options::ldap::uri'     => ['ldap://FIXME'],
-    'simp_options::ldap::bind_dn' => 'cn=Administrator,cn=Users,dc=test,dc=case',
-    'simp_options::ldap::base_dn' => 'dc=test,dc=case',
-    'simp_options::ldap::bind_pw' => '<PASSWORD>',
+    'simp_options::sssd'                        => true, # had to add because of the pam changes
+    'simp_options::pki'                         => true,
+    'simp_options::pki::source'                 => '/etc/pki/simp-testing/pki',
+    'simp_options::dns::servers'                => [ad_ip],
+    'simp_options::ldap::uri'                   => ['ldap://FIXME'],
+    'simp_options::ldap::bind_dn'               => "CN=Administrator,CN=Users,#{ldap_dc}",
+    'simp_options::ldap::base_dn'               => ldap_dc,
+    'simp_options::ldap::bind_pw'               => '<PASSWORD>',
     # This causes a lot of noise and reboots
-    'sssd::auditd'                => false,
-    'sssd::domains'               => [ 'LOCAL','test.case' ],
-    'resolv::named_autoconf'      => false,
-    'resolv::caching'             => false,
-    'resolv::resolv_domain'       => 'test.case',
-    'pam::disable_authconfig'     => false,
+    'sssd::auditd'                              => false,
+    'sssd::domains'                             => [ 'LOCAL', domain ].compact,
+    'resolv::named_autoconf'                    => false,
+    'resolv::caching'                           => false,
+    'resolv::resolv_domain'                     => domain,
+    'pam::disable_authconfig'                   => false,
     'ssh::server::conf::permitrootlogin'        => true,
     'ssh::server::conf::authorizedkeysfile'     => '.ssh/authorized_keys',
     'ssh::server::conf::gssapiauthentication'   => true,
@@ -58,10 +59,12 @@
         cache_credentials => false
       }
       sssd::provider::local { 'LOCAL': }
-
+    EOF
+  }
+  let(:ad_manifest) { <<-EOF
       ####################################################################
       # AD CONFIG
-      sssd::domain { 'test.case':
+      sssd::domain { '#{domain}':
         access_provider   => 'ad',
         cache_credentials => true,
         id_provider       => 'ad',
@@ -72,18 +75,18 @@
         ignore_group_members => true,
         use_fully_qualified_names => true
       }
-      sssd::provider::ad { 'test.case':
-        ad_domain         => 'test.case',
-        ad_servers        => ['ad.test.case'],
-        # ad_access_filters => 'test.case:OU=HeadQuarter,OU=Locations,DC=test,DC=case'
+      sssd::provider::ad { '#{domain}':
+        ad_domain         => '#{domain}',
+        ad_servers        => ['ad.#{domain}'],
+        # ad_access_filters => '#{domain}:OU=HeadQuarter,OU=Locations,#{ldap_dc}'
         ldap_id_mapping   => true,
         ldap_schema       => 'ad',
-        krb5_realm        => 'TEST.CASE',
+        krb5_realm        => '#{domain.upcase}',
         dyndns_update     => true,     # add the host to dns
         dyndns_ifaces     => ['eth1'], # vagrant uses 2 interfaces, we want the second
         default_shell     => '/bin/bash',
         fallback_homedir  => '/home/%u@%d',
-        krb5_store_password_if_offline => true,
+        krb5_store_password_if_offline => true
       }
     EOF
   }
@@ -102,15 +105,12 @@
         # Find the IP of the AD host and make a new host entry with FQDN and IP
         ad_host = YAML.load(on(host, 'puppet resource host ad. --to_yaml').stdout)
         ip = ad_host['host']['ad.']['ip']
-        on(host, "puppet resource host ad.test.case ensure=present ip=#{ip} host_aliases=ad")
+        on(host, "puppet resource host ad.#{domain} ensure=present ip=#{ip} host_aliases=ad")
         # Remove incorrect and incomplete hosts entry
         on(host, 'puppet resource host ad. ensure=absent')
         # Also remove hosts entry with just a host shortname
         on(host, "puppet resource host #{host} ensure=absent")
       end
-      it 'should make sure /etc/hosts only has the new domain in it' do
-        on(host, "sed -i 's/#{domain}/test.case/' /etc/hosts")
-      end
       it 'should install the realm or adcli packages' do
         # Some of these packages only exist on EL6 or EL7
         pp = "package { ['realmd','adcli','oddjob','oddjob-mkhomedir','samba-common-tools','pam_krb5','samba4-common','krb5-workstation']: ensure => installed }"
@@ -119,72 +119,70 @@
     end
   end
 
-  context 'generate a good sssd.conf' do
+  context 'configure basic SSSD' do
     clients.each do |host|
-      it 'should apply enough to generate sssd.conf' do
+      it 'should run puppet without error' do
         set_hieradata_on(host, hiera)
-        apply_manifest_on(host, manifest)
-        apply_manifest_on(host, manifest) # pam needs one more
+        apply_manifest_on(host, manifest, catch_failures: true)
       end
 
       it 'should be idempotent' do
         apply_manifest_on(host, manifest, catch_changes: true)
       end
-
-      it 'should be running sssd' do
-        response = YAML.load(on(host, %{puppet resource service sssd --to_yaml}).stdout.strip)
-        expect(response['service']['sssd']['ensure']).to eq('running')
-        expect(response['service']['sssd']['enable']).to eq('true')
-      end
     end
   end
 
-  context 'do realmd or adcli stuff' do
+  context 'joining AD' do
     clients.each do |host|
       case host[:platform]
       when /el-6-x86_64/
-        it 'should join test.case' do
-          on(host, "echo -n '#{domain_pass}' | adcli join -v -U Administrator test.case -H #{host}.test.case --stdin-password --show-details")
+        it 'should join the AD domain' do
+          on(host, "echo -n '#{domain_pass}' | adcli join -v -U Administrator #{domain} -H #{host}.#{domain} --stdin-password --show-details")
         end
         it 'should have a realm listed' do
-          result = on(host, 'adcli info test.case')
-          expect(result.stdout).to match(/domain-name = test.case/)
+          result = on(host, "adcli info #{domain}")
+          expect(result.stdout).to match(/domain-name = #{domain}/)
         end
       when /el-7-x86_64/
         it 'make sure it is not in a domain automatically' do
-          on(host, 'realm leave')
+          on(host, 'realm leave', :accept_all_exit_codes => true)
         end
-        it 'should join test.case' do
-          on(host, "echo '#{domain_pass}' | realm join -v -U Administrator test.case")
+        it 'should join AD' do
+          on(host, "echo '#{domain_pass}' | realm join -v -U Administrator #{domain}")
         end
         it 'should have a realm listed' do
           result = on(host, 'realm list')
-          expect(result.stdout).to match(/domain-name: test.case/)
+          expect(result.stdout).to match(/domain-name: #{domain}/)
         end
         it 'should have itself listed in DNS' do
-          ip = on(host, "dig #{host}.test.case A +short")
+          ip = on(host, "dig #{host}.#{domain} A +short")
           expect(ip.stdout).to match(/10.255/)
         end
       end
     end
   end
 
-  context 'run puppet and still work' do
+  context 'when connected to AD' do
+    let(:_ad_manifest) {
+      [manifest, ad_manifest].join("\n")
+    }
+
     clients.each do |host|
-      it 'should copy certs to new hostnames' do
-        on(host, "find /etc/pki/simp_apps/ -name #{host}.#{domain}* | sed -e \"p;s/#{domain}/test.case/\" | xargs -n2 cp")
-      end
       it 'should run puppet without error' do
-        apply_manifest_on(host, manifest, catch_failures: true)
-        apply_manifest_on(host, manifest, catch_changes: true)
+        apply_manifest_on(host, _ad_manifest, catch_failures: true)
       end
+
+      it 'should be idempotent' do
+        apply_manifest_on(host, _ad_manifest, catch_changes: true)
+      end
+
       it 'should be able to id one of the test users' do
         ['mike.hammer','john.franklin','davegrohl'].each do |user|
-          id = on(host, "id #{user}@test.case")
-          expect(id.stdout).to match(/#{user}@test.case/)
+          id = on(host, "id #{user}@#{domain}")
+          expect(id.stdout).to match(/#{user}@#{domain}/)
 
-          su = on(host, "su #{user}@test.case -c 'cd; pwd; exit'")
-          expect(su.stdout).to match(%r{/home/#{user}@test.case})
+          su = on(host, "su #{user}@#{domain} -c 'cd; pwd; exit'")
+          expect(su.stdout).to match(%r{/home/#{user}@#{domain}})
         end
       end
     end
@@ -205,13 +203,13 @@
             "-p 'suP3rP@ssw0r!'",
             'ssh',
             '-o StrictHostKeyChecking=no',
-            "-l #{user}@test.case",
-            "#{host}.test.case",
+            "-l #{user}@#{domain}",
+            "#{host}.#{domain}",
             "'cd; pwd; exit'"
           ].join(' ')
           ssh = on(host, ssh_cmd)
 
-          expect(ssh.stdout).to match(%r{/home/#{user}@test.case})
+          expect(ssh.stdout).to match(%r{/home/#{user}@#{domain}})
         end
       end
     end

spec/acceptance/suites/ad/files/populate_ad.ps1

@@ -2,31 +2,31 @@
 
 Import-Module ActiveDirectory
 NEW-ADOrganizationalUnit -name "IT-Services"
-NEW-ADOrganizationalUnit -name "SupportGroups" -path "OU=IT-Services,DC=test,DC=case"
-NEW-ADOrganizationalUnit -name "CostCenter" -path "OU=SupportGroups,OU=IT-Services,DC=test,DC=case"
+NEW-ADOrganizationalUnit -name "SupportGroups" -path "OU=IT-Services,<%= @ldap_dc %>"
+NEW-ADOrganizationalUnit -name "CostCenter" -path "OU=SupportGroups,OU=IT-Services,<%= @ldap_dc %>"
 
 
 NEW-ADOrganizationalUnit -name "Locations"
-NEW-ADOrganizationalUnit -name "HeadQuarter" -path "OU=Locations,DC=test,DC=case"
-NEW-ADOrganizationalUnit -name "Users" -path "OU=HeadQuarter,OU=Locations,DC=test,DC=case"
+NEW-ADOrganizationalUnit -name "HeadQuarter" -path "OU=Locations,<%= @ldap_dc %>"
+NEW-ADOrganizationalUnit -name "Users" -path "OU=HeadQuarter,OU=Locations,<%= @ldap_dc %>"
 
 Import-CSV -delimiter ";" C:\users.csv | foreach {
   New-ADUser -SamAccountName $_.SamAccountName -GivenName $_.GivenName -Surname $_.Surname -Name $_.Name `
-             -Path "OU=Users,OU=HeadQuarter,OU=Locations,DC=test,DC=case" `
+             -Path "OU=Users,OU=HeadQuarter,OU=Locations,<%= @ldap_dc %>" `
              -AccountPassword (ConvertTo-SecureString -AsPlainText $_.Password -Force) -Enabled $true
 }
 
-New-ADGroup -Name "SecurePrinting" -SamAccountName SecurePrinting -GroupCategory Security -GroupScope Global -DisplayName "Secure Printing Users" -Path "OU=SupportGroups,OU=IT-Services,DC=test,DC=case"
-New-ADGroup -Name "CostCenter-123" -SamAccountName CostCenter-123 -GroupCategory Security -GroupScope Global -DisplayName "CostCenter 123 Users" -Path "OU=CostCenter,OU=SupportGroups,OU=IT-Services,DC=test,DC=case"
-New-ADGroup -Name "CostCenter-125" -SamAccountName CostCenter-125 -GroupCategory Security -GroupScope Global -DisplayName "CostCenter 125 Users" -Path "OU=CostCenter,OU=SupportGroups,OU=IT-Services,DC=test,DC=case"
+New-ADGroup -Name "SecurePrinting" -SamAccountName SecurePrinting -GroupCategory Security -GroupScope Global -DisplayName "Secure Printing Users" -Path "OU=SupportGroups,OU=IT-Services,<%= @ldap_dc %>"
+New-ADGroup -Name "CostCenter-123" -SamAccountName CostCenter-123 -GroupCategory Security -GroupScope Global -DisplayName "CostCenter 123 Users" -Path "OU=CostCenter,OU=SupportGroups,OU=IT-Services,<%= @ldap_dc %>"
+New-ADGroup -Name "CostCenter-125" -SamAccountName CostCenter-125 -GroupCategory Security -GroupScope Global -DisplayName "CostCenter 125 Users" -Path "OU=CostCenter,OU=SupportGroups,OU=IT-Services,<%= @ldap_dc %>"
 
 Add-ADGroupMember -Identity SecurePrinting -Member CostCenter-125
 
 Add-ADGroupMember -Identity CostCenter-125 -Member mike.hammer
 Add-ADGroupMember -Identity CostCenter-123 -Member john.franklin
 
-Get-AdUser -Filter * -SearchBase "OU=Users,OU=HeadQuarter,OU=Locations,DC=test,DC=case" -Properties msSFU30NisDomain | Set-ADUser -Replace @{msSFU30NisDomain = 'test'}
-Get-AdUser -Filter * -SearchBase "OU=Users,OU=HeadQuarter,OU=Locations,DC=test,DC=case" -Properties gidnumber | Set-ADUser -Replace @{gidnumber = 40000}
+Get-AdUser -Filter * -SearchBase "OU=Users,OU=HeadQuarter,OU=Locations,<%= @ldap_dc %>" -Properties msSFU30NisDomain | Set-ADUser -Replace @{msSFU30NisDomain = '<%= @domain.split('.').first %>'}
+Get-AdUser -Filter * -SearchBase "OU=Users,OU=HeadQuarter,OU=Locations,<%= @ldap_dc %>" -Properties gidnumber | Set-ADUser -Replace @{gidnumber = 40000}
 
 
 Get-AdUser -Filter {samaccountname -like "davegrohl"} | Set-ADUser -Replace @{uidnumber = 60000}